Monthly Archives: October 2016

Toolsmith – GSE Edition: snapshot.ps1

I just spent a fair bit of time preparing to take the GIAC Security Expert exam as part of the requirement to recertify every four years. I first took the exam in 2012, and I will tell you, for me, one third of the curriculum is a "use it or lose it" scenario. The GSE exam covers GSEC, GCIH, and GCIA. As my daily duties have migrated over the years from analyst to leadership, I had to "relearn" my packet analysis fu. Thank goodness for the Packetrix VM and the SANS 503 exercises workbook, offsets, flags, and fragments, oh my! All went well, mission accomplished, I'm renewed through October 2020 and still GSE #52, but spending weeks with my nose in the 18 course books reminded of some of the great tools described therein. As a result, this is the first of a series on some of those tools, their value, and use case scenarios.
I'll begin with snapshot.ps1. It's actually part of the download package for SEC505: Securing Windows and PowerShell Automation, but is discussed as part of the GCIH curriculum. In essence, snapshot.ps1 represents one script to encapsulate activities specific to the SANS Intrusion Discovery Cheat Sheet for Windows.
The script comes courtesy of Jason Fossen, the SEC505 author, and can be found in the Day 5-IPSec folder of the course download package. The script "dumps a vast amount of configuration data for the sake of auditing and forensics analysis" and allows you to "compare snapshot files created at different times to extract differences."
To use snapshot.ps1 place the script into a directory where it is safe to create a subdirectory as the script creates such a directory named named for the computer, then writes a variety of files containing system configuration data.  Run snapshot.ps1 with administrative privileges.
The script runs on Windows 7, Server 2008, and newer Windows operating systems (I ran it on Windows 10 Redstone 2) and requires PowerShell 3.0 or later. You also need to have autorunsc.exe and sha256deep.exe in your PATH if you want to dump what programs are configured to startup automatically when your system boots and you login, as well as run SHA256 file hashes.
That said, if you must make the script run faster, and I mean A LOT FASTER, leave file
hashing disabled at the end of the snapshot.ps1 for a 90% reduction in run time. 
However, Jason points out that this is one of the most useful aspects of the script for identifying adversarial activity. He also points out that snapshot.ps1 is a starter script; you can and should add more commands. As an example, referring back to toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics, after importing PowerForensics, you could add something like Get-ForensicTimeline | Sort-Object -Property Date | Where-Object { $_.Date -ge "12/30/2015" -and $_.Date -le "01/04/2016" } | WriteOut -FileName Timeline which would give you a file system timeline between the 12/30/2015 and 01/04/2016.But wait, there's more! Want to get autoruns without needing autorunsc.exe?  Download @p0w3rsh3ll's AutoRuns module, run Import-Module AutoRuns.psm1, then Get-Command -Module AutoRuns to be sure the module is on board, and finally comment out autorunsc.exe -accepteula -a -c | Out-File -FilePath AutoRuns.csv then add Get-PSAutorun | WriteOut -FileName AutoRuns.
It's then as simple as running .\Snapshot.ps1 and watch your computer-named directory populate, 0V3RW4TCH-2016-10-31-9-7 in my case, per Figure 1.

Figure 1: Snapshot.ps1 run
Most result files are written in machine-readable XML, CSV, and TXT, as well as REG files generated by the registry exports via reg.exe.
A great example of a results file, is spawned via dir -Path c:\ -Hidden -Recurse -ErrorAction SilentlyContinue | Select-Object FullName,Length,Mode,CreationTime,LastAccessTime,LastWriteTime | Export-Csv -Path FileSystem-Hidden-Files.csv. The resulting CSV is like a journey down evil memory lane, where all the nuggets I've tested in the past leave artifacts. This would be EXACTLY what you would be looking for under real response scenarios, as seen in Figure 2.

Figure 2: Snapshot.ps1 grabs hidden files
Sure, there are bunches of related DFIR collection scripts, but I really like this one, and plan to tweak it further. Good work from Jason, and just one of many reasons to consider taking SEC505, or pursuing your GSE!
Cheers...until next time.

Dirty COW Notes

I am not used to write about vulnerabilities because there are too much vulnerabilities out here and writing about just one of them is not going to contribute security community at all. So why am I writing about Diry Cow ? I am going to write about it because, in my personal opinion, it is huge. When I say "huge" I don't really mean it will be used to exploit the "entire world" but I mean it highlights two mains issues:
  • Even patched code could easily hide the same vulnerability, just in a different way. How many patched code are not really "patched" ?
  • A new pragmatic approach to identify vulnerabilities: looking into patched code and check the  patch implementation.
But let's start from the beginning by taking a closer look to the exploit code.

Click to enlarge: Taken From Here

As many other kernel vulnerabilities it relays on concurrency; the exploit code fires on two separate threads who will access at the same time to the same resource.  Taking a closer look to the main function you will see that the mmap syscall has been used.

calling mmap function
From documentation:
creates a new mapping in the virtual address space of the calling process. The starting address for the new mapping is specified in addr. The length argument specifies the length of the mapping.

mmap does not create a memory copy but rather it creates a new mapping of that (filedescriptor) memory area. It means the process will read data directly from the original file rather than from a copy of it.  While most of the parameters are obvious the MAP_PRIVATE flag is the "core" of the vulnerability. It enables the "copy on write" (from here the name COW) which basically copies the original data in a new memory area during the write access to the same data. Since the mmap has just mapped a readonly area and the process wants to write data on it, mmap (MAP_PRIVATE) will create a copy of that data on write actions, the modified data will not be propagated to the original memory area. 

Now the exploit runs two threads which will exploit a race condition to get "write access" to the original memory area. The first thread runs several times the function call madvise (memory advise) which is used to increase process performances by tagging a memory area according to its usage: for example  the memory could be tagged as NORMAL,  SEQUENTIAL, FREE or WILLNEED, an so on... In the exploit, the mmap memory is continuously tagged as DONTNEED,  which basically means the memory is not going to be used in the next future so the kernel could free its space and reload the content only when needed.

First Thread implementing madvise

On the other hand another thread is writing on its own memory space (by abusing the pseudo file notation: /proc/self/mem) directly on the mmap area pointing to the opened file. Since we have invoked the mmap function through the MAP_PRIVATE flag we are not going to write on the specifi memory but on a copy of it (copy on write).

Second Thread implementing write on pseudo self/mem

The race condition between those two threads tricks the write on copy on the original memory area since the copied area could be tagged has DONTNEED while the write procedure is not finished yet. And voilà you are going to write in a readonly file !

OK now we figured out how the trick worked so far but what is most interesting is the story behind it?

Going on issue tracker: Linus Trovalds (maximum respect) wrote:

This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly (and do it better). The s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement software dirty bits") which made it into v3.9. Earlier kernels will have to look at the page state itself. Also, the VM has become more scalable, and what used a purely theoretical race back then has become easier to trigger.
S390 is ancient IBM technology.... I am not even sure it still exists on real world (at least if compared to recent systems). Probably linux community forgot about that removal otherwise would left it in the recent memory managers.

Anyhow the bug now "has been fixed" by introducing a new internal Flag called FOLL_COW (really !?J) which basically says "yes I already did the copy on write".
Basically the process can write to even unwritable pte's, but only after it has gone through a COW cycle and they are dirty. Following the diff patch

Dirty Cow Patch3 on October 2016

Dirty Cow vulnerability blowed in my mind a new vulnerability hunting process. On one hand laboratories with extremely sophisticated, tuned and personalised fuzzers perform the "industrial" way (corporate and/or governative) to find new vulnerabilities, on the other hand more romantic and crafty way done by professionals and/or security researchers used to adopt handy works and smart choices. But another smart approach (industrial or romantic) could be to investigate into the patched code by itself.

Patched code is by definition where a bug or issue where located. The most difficult part of finding vulnerabilities (not exploiting them) is to figure out where they are in thousands lines of code. So finding vulnerability on patched code could be much more quick even if with high "hypothetical" complexity since a patch is involved. But as this case testifies ...  is not always the case!

Major Call Center Scam Network Revealed – 56 Indicted

This week the US Attorney for the Southern District of Texas unsealed indictments against 56 individuals operating a conspiracy to commit wire fraud through a sophisticated scam involving five call centers in Ahmedabad, Gujarat, India.

The Call Centers -- HGlobal, Call Mantra, Worldwide Solutions, Sharma Business Process Outsourcing Services, and Zoriion Communications -- placed calls in four primary types of telefraud, and then laundered the money through a network of Domestic Managers, Runners, and Payment Processors in the United States.   The money was then moved via a Hawaladar, a person who runs an underground banking system, or an international money transfer service called a Hawala.  Hawala banking speeds the availability of international funds by operating on a trust system where the Hawaladar can incur or pay debts in one country for a large number of trusted parties from locally available funds on hand.

October 27, 2016 Press Release

Fraud types

IRS Scams: India-based call centers impersonated U.S. Internal Revenue Service officers and defrauded U.S. residents by misleading them into believing that they owed money to the IRS and would be arrested and fined if they did not pay their alleged back taxes immediately.

Law Enforcement Scams: India-based call centers also impersonated various law enforcement agencies, as with the IRS scams, threatening immediate arrest if the victim failed to comply with transferring funds.  (This blog has covered this scam before, including sharing a recording of one such call -- see: "Warrant for Your Arrest Phone Scams" from November 7, 2014.)

USCIS Scams: India-based call centers impersonated U.S. Citizen and Immigration Services (USCIS) officers and defrauded U.S. residents by misleading them into believing that they would be deported unless they paid a fine for alleged issues with their USCIS paperwork.

Payday Loan Scams: India-based call centers defrauded U.S. residents by misleading them into believing that the callers were loan officers and that the U.S. residents were eligible for a fictitious "payday loan".  They would then collect an upfront "worthiness fee" to demonstrate their ability to repay the loan.  The victims received nothing in return.

Government Grant Scams: India-based call centers defrauded U.S. residents by misleading them into believing that they were eligible for a fictitious government grant. Callers directed the U.S. residents to pay an upfront IRS tax or processing fee.  The victims received nothing in return.

Roles in the Operation

In the US, the primary parties were the Domestic Managers, the Runners, and the Payment Processors.  A Domestic Manager directed the activities of the runners and provided them with the resources they needed to do their work, including vehicles, and credit cards to be used to pay business expenses.  The Runners job was to purchase temporary "GPR cards" (General Purpose Reloadable) and then send the information about these cards to the scammers who were working in the call centers in India.  When they reached the "payout" portion of the scam, the funds would be transferred from the victim to the Runner's GPR card.  The Runners would then retrieve the cash and send it further upstream, often via Western Union or Moneygram using false identification documents. 

Data Brokers helped to generate "lead lists" for the Call Center Operators.  (For example, One of the data brokers used by the call centers was working as an IT Consultant for a company in New York.  Vishal Gounder would steal the PII from company databases and use the identities to activate the GPR cards.  )

Payment Processors acted as the intermediary between the Runners and the Call Centers for exchanging funds either through Hawaladars or via GPS Cards and international wire transfers.

The Indicted

The largest number of arrested and indicted individuals came from the HGlobal call Center.  I've illustrated the information from the indictment below:
HGlobal: Runners in 8 states, including Alabama

The other Ahmedabad, Gujarat, India Call Centers and their indicted members


GreenDot Investigations 

One of the methods that the members of the conspiracy were tracked was by their reliance on certain GPR cards, including the GreenDot MoneyPak cards.  When a GreenDot MoneyPak card is used, an identity and a telephone number have to be associated with the card.   The call centers in India operate primarily by using "Magic Jack" devices to place unlimited international calls over Voice Over IP (VOIP) lines where they can choose the callerid number that is displayed.   GreenDot investigators found that more than 4,000 GreenDot cards had been registered to the same Magic Jack telephone number, (713) 370-3224, using the identity details of more than 1,200 different individuals!

That Magic Jack number was controlled by Hitesh Patel, the call center manager of HGlobal.

The criminals did a poor job back-stopping their fake identities.  In this case, the Magic Jack was registered to the email "" which used as its recovery email, which lists the telephone number 9879090909, which Hitesh also used on his US Visa Application.  The Magic Jack device had been purchased in Texas by Asvhwin Kabaria, who used the email to send the news to that he was shipping him 20 Magic Jack devices via UPS.  The same individual would ship more than 100 Magic Jack devices to other members of the conspiracy, including people in India and in Hoffman Estates, Illinois.

Another Magic Jack number, (630) 974-1367, was associated by 990 Green Dot GPR Cards using 776 different stolen identities.  (785) 340-9064 was associated with 4,163 Green Dot cards using 1903 different stolen identites!  That one was used by which was frequently checked from the same IP address that Magic Jack calls using this number were originating.

Sunny Joshi ( was shown to have purchased $304,363.45 worth of GPR cards in a single month (October 2013!)  Emails to and from Sunny often had spreadsheets documenting which transactions had been funded by which GRP cards.  One spreadsheet showed $239,180.79 worth of transactions from 116 different cards!

Another investigative trick was to look for cards that were used in "geographically impossible" situations.  For example, on January 13, 2014 at 11:37 AM a conspirator used a card to buy gas in Racine, Wisconsin.  On the same day at 12:46 PM the same card was used to buy groceries in Las Vegas, Nevada.

At least 15,000 victims have been confirmed to have lost money to these scammers, and an additional 50,000 victims are known to have had their identity details in the possession of these scammers.

The Most Vulnerable Among Us

The most vulnerable victims seem to have been recent immigrants and the elderly.  Those who are accustomed through habit or fear to quickly obeying any order of authority, even when it seems incredulous.   There are several victims who were ordered repeatedly to purchase the largest possible Green Dot cards ($500 value) and to do so in batches over several days.  One victim in 2013 purchased 86 cards worth $43,000 and transmitted the details to the scammers.  These cards were accessed from the IP of the 703 Magic Jack phone and transferred by email to "".  

One resident of Hayward, California was contacted repeatedly from January 9, 2014 through January 29, 2014 and extorted into purchasing 276 MoneyPaks worth $136,000 and transmitting the PIN numbers to the thieves.  She was frightened into believing she was speaking with the IRS and would be immediately arrested if she did not comply!

Recent immigrants are also especially vulnerable.  In one of the many examples from the indictment, Rushikesh B., a resident of Naperville, Illinois, was extorted for $14,400 by an individual claiming to be the Illinois State Police and threatening arrest if he did not immediately pay fines related to immigration violations.

Those who work with our elderly and with recent immigrant communities are strongly encouraged to remind them that NO LAW ENFORCEMENT OFFICIAL will EVER take payment for a fine via money transferred over the internet or email!  Nor will they ever require a GPR card to be used to pay such a fee!   

Anyone who hears of a friend, family member, co-worker who has been a victim of such a scam is strongly encouraged to file a report. 

For all IRS-related telephone scams, please help your colleague to report the scam by using the TIGTA website, "IRS Impersonation Scam Reporting" run by the Treasury Department's Inspector General for Tax Administration. 
The URL is:

For all other Telefraud scams involving government impersonation, this FTC website may be used:  

Email Traffic a key to the Case

The indictment goes on for 81 pages listing incident after incident, including many email accounts used by the criminals.  Some of the criminals made accounts for money movement, such as money.pak2012@gmail, payment8226@gmail, but others used their "primary emails" like Cyril Jhon who used the email cyrilhm2426@gmail for his conspiracy traffic. Saurin Rathod used the email saurin2407@gmail, while Hardik Patel used hardik.323@gmail!  One of the payment processors, Rajkamal Sharma, sent over 1,000 emails to conspirators with directions about where to deposit various funds. Almost 50 pages of the 81 page indictment are walking through the evidence uncovered by email analysis!

The full indictment is a fascinating read ... you can find a copy here:

The indicted:
Hitesh Madhubhai Patel
Hardik Arvindbhai Patel
Janak Gangaram Sharma
Tilak Sanjaybhai Joshi
Saurin Jayeshkumar Rathod
Tarang Ranchhodbhai Patel
Kushal Nikhilbhai Shah
Karan Janakbhai Thakkar
Manish Balkrishna Bharaj
Rajpal Vastupal Shah
Sagar Thakar (aka Shaggy, Shahagir Thakkar)
Cyril Jhon Daniel
Jatin Vijaybhai Solanki
Jerry Norris (aka James Norris, IV)
Nisarg Patel
Miteshkumar Patel
Rajubhai Bholabhai Patel
Ashvinbhai Chaudhari
Fahad Ali
Jagdishkumar Chaudhari (Jagdish)
Bharatkumar Patel (Bharat)
Asmitaben Patel
Vijaykumar Patel
Montu Barot (Monty Barot)
Praful Patel
Ashwinbhai Kabaria
Dilipkumar Ramanlal Patel
Nilam Parikh
Dilipkumar Ambal Patel (Don Patel)
Viraj Patel
Abshishek Rajdev Trivedi
Samarth Kamleshbhai Patel
Harsh Patel
Aalamkhan Sikanderkhan Pathan
Jaykumar Rajanikant Joshi
Anjanee Pradeepkumar Sheth
Kunal Chatrabhuj Nagrani
Subish Surenran Ezhava (aka Chris Woods)
Sunny Tarunkumar Sureja (aka Khavya Sureja)
Sunny Joshi (aka Sharad Ishwarial Joshi, Sunny Mahashanker Joshi)
Rajesh Bhatt (aka Manoj Joshi, Mike Joshi)
Nilesh Pandya
Tarun Deepakbhai Sadhu
Vishalkumar Ravi Gounder (Vishal Gounder)
Bhavesh Patel
Raman Patel
Rajesh Kumar Un
Aniruddh Rajeshkumar Chauhan
Rahul Tilak Vijay Dogra
Vicky Rajkamal Bhardwaj
Clintwin Jacob Chrisstian
Aneesh Antony Padipurikal (Aneesh Anthony)
Jatankumar Kareshkumar Oza (aka Jatan Oza)
Rajkamal Omprakash Sharma
Vineet Dharmendra Vasishtha (aka Vineet Sharma, Vineet Vashistha)
Gopal Venkatesan Pillai

Wrong About Presentations

But first- this series is a bit off-the-cuff and lacking in polish, but I’ve been meaning to do it for ages and if I wait, well, this blog continues to look abandoned.  So please forgive the rambling and read on.

Today let’s start talking about presentations.

I have heard and read that they are all too long, except the ones that are too short.  That talks are simultaneously too technical and too high-level.  Oh, and all panels suck.  Ted-style talks are the best, except that they are hollow, empty, and don’t work for highly technical content.  And you should never let vendors speak because we’re all just sales weasels, except for the events where only “sponsors” get to speak.

Let me once again venture into crazy talk: it really depends on who you are and what you want.  I don’t like vendor sales pitches, but apparently some folks find them a good use of their time.  I’d rather avoid those kind of talks, but that’s me (and probably you, too, but whatever).  If sales presentations are a good use of your time, that’s OK with me.  I do hope you do some homework before whipping out the old purchase orders, though.

I will say that a lot of presentations I’ve seen could have been delivered better in a shorter timeframe- but that’s as much on the events as the speakers.  If the only choice is an hour slot, people do an hour talk.  I do think the quality of things like Shmoocon Firetalks is in part because people often pare down what they planned to be a longer talk, leaving only the key points and deliver them in a short time.  Scheduling talks of different lengths does pose real logistical challenges for conference organizers, but I think it would be good to make it easy for people to do shorter talks.  Of course, speaker ego can be an issue, we need to make it clear that the quality of the talk is not tied to the length of the talk.  I also thing that shorter talks make it easier to get new things in front of an audience.

Presentation style, there’s a topic sure to inflame absolutists.  The style has to match the speaker and the topic.  You will never do a good Ted-style talk that walks through the code of your new project or steps through disassembly of malware.  Conversely, a code walk isn’t the way to explain big picture issues.  Lately my presentations weave the ideas and information together via storytelling, in a style that sometimes borders on stand-up comedy.  And it works for me and the less technical topics I’ve covered in the past few years, but it certainly won’t work for everyone or every topic.  I know there are disciples of some books and styles such as Presentation Zen and Slide:ology, I think they are great resources but as always there is no One True Way.  Do what works for your audience and for you.

As far as panels, many are indeed often a lazy attempt at getting on the schedule, they’re frequently poorly moderated and wander off topic into incoherent ramblings.  It is also true that well-run panels can showcase display a diverse set of opinions and experiences and add nuance to complicated topics.  Panels do not suck, bad panels suck.

And no, this series isn’t over, I’m just getting warmed up.



ART – Panda’s Intelligent Control Platform


In the complex world of IT security, real-time information is fundamental to protect corporate data and resources. Most enterprises are aware that if they do not have complete visibility of their network, it is easy to fall victim to cyber-attacks.

Although a large focus has been placed on external threats such as Ransomware, businesses are also at risk from internal threats.

Employees have access to immense amounts of company data daily, and often organisations are not able to track what employees are accessing and what they are doing with company data. Without proper security in place employees can be the organisation’s biggest threat, as was the case with now infamous Edward Snowden and Bradley Manning. Snowden, stole and published classified NSA documents, and Manning, formerly a US army soldier disclosed confidential military and diplomatic documents to WikiLeaks.
Organisations need to be aware of, and manage such internal threats, in addition to the ever present external threats as such Ransomware and APT’s.

Managing the actions of all employees is a mammoth task whether the organisation has 10 or 10 000 employees. Businesses need to leverage new technology to reduce this burden, technology such as Panda Security’s new Advanced Reporting Tool. This efficient and easy-to-use tool analyses data to gain insight into corporate resource usage in order to make informed strategic decisions.


ART automatically generates security intelligence allowing businesses to take control of all your endpoints and combat poor internal practices.

Advanced Reporting Tool (ART) is an add-on for Panda’s Endpoint Detection and Response solution, Adaptive Defense, and enables information about all the processes running, gathered by Adaptive Defense, to be extracted, stored and correlated by ART. The platform automatically generates security intelligence and allows users to identify risky behaviours or problems – ultimately exposing any misuse of the corporate network or resources.

In short, ART allows IT administrators to:

  • Search relevant information. Increasing efficiencies by enabling IT staff to find any problem areas.
  • Pinpoint problems by extracting behaviour patterns from resources and users, as well as identifying its impact on the business.
  • Real-time alerts about any possible data breaches.
  • Generate configurable reports showing the status of key security indicators and how they are evolving.

Advanced Reporting Tool – a real-time diagnosis tool that enables full visibility of the network.

In addition to the existing Big Data Cloud Service and its real-time alerts, ART includes predefined and adaptable analysis with four different action areas:

  • Information about IT security incidents. ART generates security intelligence then processes and associates those events as intrusion attempts.
  • Controls network applications and resources.
  • Controls access to business data.
  • Displays file access with confidential information and its online traffic.


The SIEMFeeder platform enables businesses to take advantage of Big Data and maximise resources.

Many organisations are taking further steps to ensure they are protected from threats by implementing a SIEM solution. As an alternative or compliment to the Advanced Reporting Tool, Panda Security has developed SIEMFeeder – an add-on that enables communication between Adaptive Defense and users’ existing SIEM tool.

SIEMFeeder provides relevant data, amplifies information and associates it with the information you already have, enabling detection of risk areas before they become the biggest threat to your business.

The post ART – Panda’s Intelligent Control Platform appeared first on

Cutting through the Dyn

Last Friday (21 Oct), one of the largest DDoS attacks ever seen, created widespread internet outage affecting services from Twitter, AWS, Reddit, Netflix, Spotify, CNN, Paypal, NY Times, WSJ, and others. The attack was directed at Dyn, a domain name service provider, whose servers interpret internet addresses, directing web traffic to the affected companies. Dyn …

Yevgeniy Nikulin hacked LinkedIn and Formspring via Employee VPN

From the indictment against Yevgeniy Nikulin

On October 20, 2016, Radio Free Europe/Radio Liberty announced that they had identified the Russian hacker who was arrested in Prague.  They were the first ones to announce the identify of Yevgeniy Nikulin providing a link to his arrest video:

 Nikulin's arrest video

VPN Hacking?

Two points in the Indictment's "Background" section.  One says "LinkedIn employees were assigned individual credentials by which they could remotely access the LinkedIn Corporate network..  As individual with the initials N.B. worked for LinkedIn at its Mountain View, California headquarters.

... and a couple paragraphs later ,,,

Formspring employees were assigned individual credentials by which they could remotely access the Formspring corporate network.  An individual with the initials J.S. worked for Formspring in its San Francisco, California, headquarters.

The hack of LinkedIn, according to the Indictment, occurred on March 3-4, 2012, during which, Yevgeniy "did knowingly possess and use, without lawful authority, a means of identification of another person, that is, the user name and password assigned to LinkedIn employee N.B., during and in relation to violations of Title 18, USC, Section 1030.

Dropbox was hacked between May 14, 2012 and July 25, 2012, although no mention is made of the technique.  (Motherboard indicates that more than 68 million passwords were stolen in this breach.)

The hack of Formspring was between June 13, 2012 and June 29, 2012, during which the defendant "did knowingly possess and use, without lawful authority, a means of identification of another person, that is, the user name and password assigned to Formspring employee J.S., during and in relation to violations of Title 18, USC, Section 1030.

BitCoin Theft by ChinaBig01

After the indictment was released, as several others users have done, (such as @TalBeerySec of Microsoft Research), we found the allegations that Yevgeniy was involved in other types of crimes, including breaking in to the MySQL Database of a BitCoin "Hedge Fund".

The operator of that site sent this claim to the users:


I wanted to share a very bad news with you. Yesterday, in the middle of the night, someone hacked in to Bitmarket database and managed to modify his account. Then, he withdrew ~610 BTC from the site. He left about 100 BTC in the wallets.

Right now I'm investigating what happened. It seems that he managed to somehow find my administration console for the database, which wasn't under any gueassable name. This console was password protected (a very long, random password) but he still managed to overcome this somehow. I'm still investigating how this could happen. Right now I've removed this console entirely to prevent any further damage, but I'm devastated :(. I wrote a message to the email he registered with ( literally begging him to return the stolen BTC. If he has any conscience, maybe he'll give it back. But at the moment we are 600 BTC short, and if this sees the light of day (ie. people want to withdraw more than 92 BTC that's currently in the wallets), we're totally screwed.

I know it's much to ask, but do you have any Bitcoins available right now to fill this gap temporarily? There is a small chance that the thief will give this back, but until then… I really don't know what to do now. I didn't have the luxury to screw up again, and when things started to go on the right track, this happens. All this makes me wanting to kill myself. My hands are shaking right now. I won't do this, because I have people to repay. I hope this turns out good… Sorry, I don't have any other idea right now, I just wanted to be 100% honest with you and inform you on this as soon as I saw what happened. 

The author claims that 620 BTC were stolen.  He later offers this link to the alleged purse, controlled by "" according to him.  You can see the 620 BTC as 1, then 9, then 55.456, then 554.54 being deposit and then removed from this bitcoin address:

Social Engineering Methods for Penetration Testing Social engineering is the practice of learning and obtaining valuable information by exploiting human vulnerabilities. It is an art of deception that is considered to be vital for a penetration tester when there is a lack of information about the target that can be exploited.

Five Ways That Good Guys Share More Than Bad Guys

It takes a lot for me to write a cybersecurity blog post these days. I spend most of my writing time working on my PhD. Articles like Nothing Brings Banks Together Like A Good Hack drive me up the wall, however, and a Tweet rant is insufficient. What fired me up, you might ask? Please read the following excerpt:

[Troels] Oerting, with no small dose of grudging admiration, says his adversaries excel at something that can’t be addressed with deep pockets or killer software: They’re superb networkers. “The organized crime groups in cyber are sharing much better than we are at the moment,” says Oerting, a Dane with a square jaw and the watchful eyes of a cop who’s investigated the underworld for 35 years. “They are sharing methodologies, knowledge, tools, practices—what works and what doesn’t.”

Statements like these are regularly submitted without evidence. In response, I provide five sources of evidence why organized crime groups do not share more than defenders.

1. Solution providers share. Both commercial and not-for-profit solution providers share enormous amounts of information on the security landscape. Some of it is free, and some of it is sold as products or consulting. Thousands of security companies and not-for-profit providers compete for your attention, producing white papers, Webinars, and other resources. You might argue that all of them claim to be the answer to your problem. However, this situation is infinitely better than the 1980s and early 1990s. Back then, hardly any solutions, or even security companies and organizations, existed at all.

Criminal solution providers share, but they do so by selling their wares. This is true for the open world as well, but the volume of the open world is orders of magnitude greater.

2. Government agencies share. My fellow Americans, has your organization you been visited by the FBI? Federal agents notified more than 3,000 U.S. companies [in 2013] that their computer systems had been hacked. The agents didn't just walk in, drop a letter, and leave. If a relationship did not exist previously, it will now be developed.

Beyond third party breach notifications, agencies such as NIST, DHS, and others regularly share information with organizations. They may not share as much as we would like, but again, historical perspective reveals great progress.

3. Books, articles, and social media share. The amount of readable material on security is astounding. Again, in the late 1980s and early 1990s hardly any books or articles were available. Now, thousands of resources exist, with new material from publishers like No Starch arriving monthly. Where are the books written by the underground?

4. Security conferences share. You could spend every week of the year at a security conference. If you happen to miss a talk, it's likely the incomparable Iron Geek recorded it. Does the underground offer similar opportunities?

5. Private groups and limited information exchange groups share. A final category of defender sharing takes place in more controlled settings. These involve well-established Information Sharing and Analysis Centers (ISACs), developing Information Sharing and Analysis Organizations (ISAOs), and private mailing lists and forums with limited membership. These could possibly be the closest analogue to the much-esteemed underground. Even if you disregard points 1-4 above, the quality of information shared in this final category absolutely equals, if not exceeds, anything you would find in the criminal world.

If you disagree with this analysis, and continue to lament that bad guys share more than the good guys, what evidence can you provide?

Improved Efficiency and Centralised Management with new Systems Management

Aerial shot of a group of coworkers discussing notes at a meeting

In today’s digital world internet connected devices have become a part of every aspect of our lives, and as this digital transformation continues, it is imperative that businesses understand the complexities that come with it.

To address this situation, Panda Security present our latest version of Systems Management – the most powerful, scalable and easy-to-use Remote Monitoring and Management (RMM) tool on the market.

The Challenge

Digital transformation brings with it a number of new challenges that business leaders must consider. Adding to the already complex IT environment, some of the challenges businesses face include; the ever increasing number of devices connected to the organisations network, the growing number of remote users, as well as the need to fix problems with greater flexibility.

The growing number of devices used every day in the workplace brings with it the threat of new incidents that disrupt work. Consequently, as these inefficiencies multiply, they add to the IT department’s workload, and affect business management, often resulting in security being overlooked.

The Solution – Greater Automation and Maximum Performance

Systems Management remotely monitors and manages devices from the Cloud so that every IT department can offer a professional service that minimises impact on daily work.

Whats New

The new version of Systems Management gives you maximum performance out-of-the-box. To increase efficiency and grow business for our clients and partners, Systems Management facilitates five pillars.

  • Asset Inventory

  • Device Monitoring
  • Remote Device Management
  • Resolution Tool Support
  • Generated Reports

This version comes with significant new and updated features in response to customer feedback, highlights include:

  • Recommended monitoring policies based on the best practices of clients.
  • New filters to improve management systems – instant visualisation of the network so you can see what you need.
  • New reports for server performance, CPU, memory, and disc performance for the last 30 days, including general averages.
  • Integrates with Microsoft Hyper-V and the new hardware monitors added for VMware ESXi.
  • New maintenance Windows—alerts can now be programmed and silenced.

This new update makes Systems Management a powerful, highly scalable, easy-to-use administration tool that will save users time and money.

The post Improved Efficiency and Centralised Management with new Systems Management appeared first on

Relevant to my rants

Before I resume my rambling on conferences and presentations, here’s a great article I came across via Tales of the Cocktail, a site you would expect me to link to from my, ahem, travel blog.

This article is specifically about submitting a cocktail seminar to Tales of the Cocktail, but several points in the list of seventeen items apply to a wide variety of events, regardless of topic or venue.

Also, it has been said many times by many people and in many ways- one of the best tips for getting your proposal accepted at any event is to follow the rules. Really, read the rules/guidelines for submission, and follow them.  Also, submit early.  Most event reviewers are volunteers and do it in their spare time, something which gets scarce when the deadline approaches.  Submit early and you’re more likely to get non-bloodshot eyes looking at your paper.



Catching IRS fraudsters proves the scale and profitability of impersonation cons

 Fraudsters who posed as IRS officials threatened hardworking Americans with imprisonments for the crime of tax default. Their modus operandi was simple; question victims about defaulting on their tax payments, threaten legal action, arrest, deportation or suspension of business rights, and finally offer an easy way out – a chance to close the case without prosecution for a onetime deposit in a bank account or alternatively getting the bank account details of the victim which were then wiped clean.

Incredible as it may seem, the con was so successful that the kingpin lived a life of 5 star luxury, with fancy cars and hotel stays. In a short span of two years he amassed significant wealth and employed over a 700 people in several call centers across India and the US. Most of these call centers were owned by trusted associates and employed high school graduates or drop outs who they lured with high pay and luxurious lifestyles.

Income earned in dollars was converted into India rupees using illegal money laundering channels called Hawala. All employees were paid in cash. Call center executives were offered incentives based on the income they generated from these frauds, and the ones that performed were even offered a chance to work directly with the kingpin, in his home city of Ahmedabad, Gujarat while being put up in 3 and 4 star hotels.

Fortunately, India takes these crimes seriously, and once reported, Mumbai police detectives over a period of 15 days, went incognito and surveyed these call centers before busting them and arresting over 50 people. All convicted will be tried under the Indian IT act and penal code.

There are however, several countries that do not take action on these crimes as the victims are not citizens of their countries.

Cybercitizen’s are advised to be wary about calls which ask for personal information and money in some form or the other.  

Ten Years of Cybercrime & Doing Time

On October 10, 2006 while I was sitting in my office at Energen I decided to start a blog.  I had been an InfraGard member for five years at that time, and was realizing based on the feedback I was getting from other InfraGard members around the country that while many people knew about Cyber Security, very few knew about CyberCrime.  I was working on a daily basis with the FBI Cybercrime Squad in Birmingham, so I had a fairly good view on the topic, so I decided to try to share what I knew by starting this blog.  One year later I had taken things to a whole new level by quitting my job at the Oil & Gas company and moving to the University of Alabama at Birmingham to dedicate the next decade to training new cybercrime fighters!

While the blog has seen ups and downs in the regularity of the posts, even being named "Most Popular Security Blog" by SC Magazine back in 2010, overall we've averaged one post per week and have been visited by nearly 3 million readers.

As I tried to decide how to mark the 10th Anniversary of the blog, I thought one way to do it would be to share what has been our most popular stories each year.

One of the strengths of the blog has always been to document "big campaigns" that are attacking people and try to help them understand the nature of the scam so that they could avoid being a victim themselves.  The three most popular stories on the blog have all been of that nature:

1. "More ACH Spam from NACHA" (March 11, 2011) and "ACH Transaction Rejected payments lead to Zeus" (Feb 25, 2011) were both of that type.  Even years later, spikes in visitors to these stories were an indication that someone was imitating NACHA again.   In these spam campaigns, the spammers would claim to be sending email from the  "National Automated Clearing House Association" the organization that handles all electronic payments between American banks.  We later came to call these type of campaigns "Soft-Targeting" as most Americans have never heard of NACHA, but those who are involved in regularly moving money most certainly would have -- making them also the most likely to fall victim to such a spam message.  The first entry in this series, "Newest Zeus = NACHA: The Electronic Payments Association" (November 12, 2009) was also very popular.

2. Coming much later, November 7, 2014, was "Warrant for your Arrest phone scams." It was great to see the heavy traffic to that blog post and receive the emails letting me know that someone had just "proven" to them that they were about to be scammed by sending them a link to the article!

3. During 2014 one of the largest spamming botnets was the ASProx botnet.   This malware blasted out high volume spam campaigns that used a variety of social engineering ploys to make their campaigns convincing, leading to huge victimization rates.   The most popular, based on hits to the blog, was the E-Z Pass Spam.  "E-Z Pass Spam Leads to Location Aware Malware" (July 8, 2014) had tens of thousands of visitors.  A close second, also ASProx, was "Urgent Court Notice from GreenWinick Lawyers delivers malware."   ASProx had been dominate from the holiday season in 2013, when "package delivery failure" messages really hit a profound number of victims.  (See for example "Holiday Delivery Failures Deliver Kuluoz Malware" (December 26, 2013)

Rather than go through the top campaigns in order, I thought it might be more interesting to see the most popular posts for each of our ten years as a blog.

Top Cybercrime & Doing Time Blog Posts of 2016
Vovnenko / Fly / MUXACC1 pleads guilty24JAN2016
Kelihos botnet delivering Dutch WildFire Ransomware09JUL2016
Is the Bank of Bangladesh ready for the Global Economy?23APR2016
Unlimited ATM Mastermind Ercan Findikoglu pleads guilty06MAR2016

In 2016, two of our four top stories were about arrests of top cybercriminals, which is a trend that I love to say is growing and rising as we see a higher level of cooperation internationally, and a growing ability among our Law Enforcement partners. One of the highest volume spam botnets, Kelihos, is regularly in our blogs and is quite popular with the readers, indicating how often they also see the spam. The Bank of Bangladesh SWIFT theft was also a high interest story!

Top Cybercrime & Doing Time Blog Posts of 2015
Tech Support "pop-ups"30MAR2015
Hillary"s Email Server and the New York City malware03OCT2015
Passwords, Password Cracking, and Pass Phrases29OCT2015
Darkode guilty pleas: Phastman, Loki, & Strife24AUG2015

In 2015, the Darkode forum was a top story for us. Readers responded well to the Tech Support "pop-up" scams, indicating that they were also seeing it quite a bit! Hillary's email server gave us a chance to show the value of a long-term spam repository. And the story on password cracking seems to be regularly accessed from people teaching others about strong passwords.

Top Cybercrime & Doing Time Blog Posts of 2014
Warrant for Your Arrest phone scams07NOV2014
E-ZPass Spam leads to Location Aware Malware08JUL2014
Urgent Court Notice from GreenWinick Lawyers delivers malware13JUL2014
GameOver Zeus now uses Encryption to bypass Perimeter Security02FEB2014

The phone scams claiming that a warrant has been issued for your arrest have been popular on a daily basis for most of the two years since this story was first released. EZ Pass and Urgent Court Notice spoke to the popularity of the ASProx botnet. Gameover Zeus was also quite interesting as it changed the way spam-delivered malware defeated perimeter security.

Top Cybercrime & Doing Time Blog Posts of 2013
Holiday Delivery Failures lead to Kuluoz malware26DEC2013
Vietnamese Carders arrested in case05JUN2013
When Parked Domains Still Infect - and ZeroPark10AUG2013
New Spam Attack accounts for 62% of our spam!10APR2013

Kuluoz, later called ASProx, had its first big Christmas in 2013. One of the first arrests of Vietnamese hackers spoke to internationally cooperation.

Top Cybercrime & Doing Time Blog Posts of 2012
Operation Open Market: The Vendors25MAR2012
Paypal "You Just Sent a Payment" spam leads to malware01MAY2012
DNS Changer: Countdown clock reset, but still ticking28MAR2012
Operation Open Market: Jonathan Vergnetti17MAR2012

In 2012, the DNS Changer malware was on everyone's minds (we later blogged about the successful prosecution of the leaders of that campaign, all now in prison in New York.) Operation Open Market was the big Forum take-down that year.

Top Cybercrime & Doing Time Blog Posts of 2011
More ACH Spam from NACHA11MAR2011
ACH Transaction Rejected payments lead to Zeus25FEB2011
Federal Reserve Spam14MAR2011
The Epsilon Phishing Model08APR2011

I've already mentioned the ACH/NACHA spam campaigns that delivered Zeus. The Epsilon Phishing model focused on hacking email delivery services and using validated accounts to deliver phishing and malware. (This is the group that Neil Schwartzman of CAUCE labeled "The Adobers" for the many times their malware claimed to be Adobe software.)

Top Cybercrime & Doing Time Blog Posts of 2010
New York FBI: 17 Wanted Zeus Criminals30SEP2010
PakBugs Hackers arrested12JUL2010
Lin Mun Poo: Hacker of the Federal Reserve and ...?20NOV2010
Iranian Cyber Army returns - target: Baidu.com12JAN2010

The Iranian Cyber Army, and a variety of international cyber criminals captured the headlines in 2010.

Top Cybercrime & Doing Time Blog Posts of 2009
Newest Zeus = NACHA: The Electronic Payments Association12NOV2009
The FBI's Biggest Domestic Phishing Bust Ever08OCT2009
Who is the "Iranian Cyber Army"? Twitter DNS Redirect18DEC2009
Traveler Scams: Email Phishers Newest Scam09FEB2009

Our 2009 "Traveler Scams" post was for years the most successful post on the blog, as many people shared the post with their friends to warn about the scam. NACHA was just becoming the leading scam-victim related to Zeus, and the FBI celebrated a huge phishing victory!

Top Cybercrime & Doing Time Blog Posts of 2008
The UAB Spam Data Mine: Looking at Malware Sites09AUG2008
Anti-Virus Products Still Fail on Fresh Viruses12AUG2008
ICE: Operation Predator - Solving Intertwined Child Porn cases05NOV2008
Bank of America Demo Account - DO NOT CLICK26NOV2008

In 2008, we were just getting seriously up to ability with the UAB Spam Data Mine, and found many interesting malware campaigns using these techniques, which eventually led to the creation of Malcovery Security, later acquired by PhishMe

Top Cybercrime & Doing Time Blog Posts of 2007
Is Your Fifth Grader Smarter Than a Laughing Cat?15OCT2007
Google Referrer Only malware sites13DEC2007
AffPower Indictments Scare Affiliates!06AUG2007
TJX: From Florida to the Ukraine?04SEP2007

In 2007, the Storm Worm was one of the top spreaders of malware. The Laughing Cat story pointed out that if you share your computer with younger family members, they may very well click on lures that any educated adult would reject. The AffPower case remains one of my favorite law enforcement actions against online pharmaceutical affiliate programs. The TJX story tracked some of the carders involved in the TJX data breach.

Top Cybercrime & Doing Time Blog Posts of 2006
Pump & Dump: SEC gives us a peek!21DEC2006
Counterfeit Checks? Who cares!12OCT2006
Birmingham InfraGard - October 200610OCT2006

In 2006, our inaugural year, we didn't have a lot of stories, honestly. Pump & Dump spam was interesting that year, and we blogged about some of the holiday scams we were seeing.

Unfortunately, several of the graphics in the older stories are unavailable due to changes in hosting. Hopefully we'll get those recovered eventually. Sorry for any loss of enjoyment that may cause while strolling down Cybercrime Memory Lane with me!

Looking forward to another Ten Years informing the public about Cybercrime & Doing Time!

Thanks to all of my friends and students who encouraged this blog along the way, and helped through their dedication to fighting Cybercrime and sharing in the analysis we did together. While there have been tons of great contributors in the lab, with regards to things that ended up in the blog I'd like to especially thank: Heather McCalley, Matthew Grant, Chun Wei, Brad Wardman, Brian Tanner, Tommy Stallings, Sarah Turner, Josh Larkins, Jui Sonwalker, JohnHenri Ewerth, Brendan Griffin, and Kyle Jones.

Thanks also to my inspirations in blogging, Brian Krebs, and Graham Cluley. This amateur blogger is truly grateful for what you guys do and share!

Siri Lock Screen Bypass in news your non security friends read

This morning I read an article on Good HouseKeeping (don’t make fun, it was a link on one of the news links that get pushed in your face on my start page.  I think it was Bing. I hate the news links but like the pictures).  It’s interesting to see what security items make it into websites for ‘normal’ people.

The scare headline read “A New iPhone Hack Lets Anyone Use Your Phone”.  It reports that Siri by default allows some actions even when the phone is locked.    Pranksters can use Siri to send texts to contacts, make calls, and update Facebook.

In the past full access to the device has been achieved though this type of Siri access.  This is one argument for disabling Siri at the lock screen (Settings -> Siri -> Allow Access on Lock Screen (off)).   While you lose some functionality, you are no longer susceptible to practical jokers or people with more nefarious intent.

I’m not aware of a Mobile Device Management platform that can disable this setting.  If you’re managing an enterprise environment where the MDM platform cannot enforce this setting all you can do is educate, instruct, and require.  (Where I work, I had to sign a form confirming I’d disabled this setting).


The post Siri Lock Screen Bypass in news your non security friends read appeared first on Roger's Information Security Blog., Human Trafficking, and Free Speech

Charges Against Backpage

Earlier this week the states of Texas and California worked together to have the CEO of arrested. The charges were brought in California, who issued the arrest warrant for CEO Carl Ferrer, who was then arrested in Texas. The cause of the arrest was that by running a website that profited heavily from the sale of sexual services, through the "escort" section of his website, Backpage was profiting from prostitution and human trafficking. 

The Dallas AG's press conference regarding the arrest is here:

Dallas was a good venue, because the company's headquarters are actually in Dallas, Texas.  The CEO was arrested at the airport as he returned from an international trip.

Kamala Harris, the California Attorney General, shares her announcement here:

California brought the charges primarily because made more money on their escort services from selling women and children in California than in other states.  In addition to charging CEO Carl Ferrer, California brings charges against controlling stock-holders, Michael Lacey and James Larkin.  Ferrer, Lacey, and Larkin are charged with operating a "Pimping Conspiracy" from 2010 through 2016.   Among the specific charges brought in the 9 page Criminal Complaint against are that although most sections of are free -- there is no charge to post an advertisement there -- the Escort service DOES charge to place ads, and in California, these ads generate more than $2 Million PER MONTH in profits just in the state of California.  Yes, ALMOST ALL of the revenue for is generated by its ads for escort services!

Furthering the conspiracy, however, is the fact that the same trio also operate other prostitution-oriented websites,, an "escort directory service" and, an app for android and iPhone that provides profiles of those listed on EvilEmpire. (EvilEmpire currently has 1300 profiles claiming to be in Birmingham, Alabama!)   

The California charges then go on to include several violations of California Penal Code section 266h(b)(2), Pimping a Minor Under 16 Years of Age, and several additional violations of 266h(b)(2)/664, "Attempted" Pimping of a Minor Under 16.

Backpage and Law Enforcement

I've met the Backpage lawyer featured in this Anderson Cooper video. She used to defend CraigsLists adult services. She was at a law enforcement conference I attended in Singapore, and she said she was there to try to build law enforcement contacts because they wanted to be "the best ally possible" for law enforcement:

In 2011, Backpage received a letter signed by 46 Attorneys General asking Backpage to clarify 20 points of contention with regards to its advertising, monitoring of, and profiting from, the advertisement of prostitution.

The letter also mentions that CEO Carl Ferrer told Washington's Attorney General that at that time they were removing around 400 advertisements per month on suspicion that they involved underage minors.

Backpage and Freedom of Speech

The website has already been hit with a federal lawsuit -- but then the lawsuit was dismissed, and on appeal, it is clear that the "Freedom of Speech" crowd is pro-Human Trafficking.

Here is how the judge who heard the appeal opened her 37 page judgement:

"This is a hard case — hard not in the sense that the legal issues defy resolution, but hard in the sense that the law requires that we, like the court below, deny relief to plaintiffs whose circumstances evoke outrage. The result we must reach is rooted in positive law. Congress addressed the right to publish the speech of others in the Information Age when it enacted the Communications Decency Act of 1996 (CDA). See 47 U.S.C. § 230. Congress later addressed the need to guard against the evils of sex trafficking when it enacted the Trafficking Victims Protection Reauthorization Act of 2008 (TVPRA), codified as relevant here at 18 U.S.C. §§ 1591, 1595. These laudablelegislative efforts do not fit together seamlessly, and this case reflects the tension between them. Striking the balance in a way that we believe is consistent with both congressional intent and the teachings of precedent, we affirm the district court's order of dismissal. The tale follows. . . "

The law that makes this all legal, from the Federal side, is "47 U.S.C. § 230" which is the law that protects websites from being responsible for the things that third parties post on their servers. The full judgment in that lawsuit is here:

The EFF (Electronic Frontier Foundation) and the CDT (Center for Democracy and Technology) both argued in favor of Backpage in amicus briefs, and Forbes magazine foolishly went along with their headline "Big Win For Free Speech Online In Backpage Lawsuit" -- (click image for story)

So "Free Speech" wins and our young woman get trafficked. I'm shocked that Forbes finds this a thing to celebrate!

Federal Responses to BackPage CEO Arrest

One of the champions against Human Trafficking on Capital Hill is Congresswoman Ann Wagner from the 2nd District of Missouri.  She is the sponsor of the Stop Advertising Victims of Exploitation Act (SAVE Act).  In many ways you could say the SAVE Act was written in response to
 Wagner's SAVE Act became law with the passage of Senate Bill 178 - Justice for Victims of Trafficking Act of 2015, when it was signed by President Obama on May 29, 2015.  What her section of the law does is just adds the word "Advertising" to an existing law, 18 U.S. Code § 1591 - Sex trafficking of children or by force, fraud, or coercion.

We'll have to wait to see whether this new language gets used in Federal court sometime soon.  In this case, the big question with regards to 18 USC Section 1591 would be "who did the advertising?"  We already know that BackPages will say they are a neutral third part who allows OTHERS to advertise.

Senator Porter is also leading the charge from the Senate side.  In November 2015 he held hearings about Backpage and subpoenaed CEO Carl Ferrer to appear before the commitee.  When Ferrer refused, Contempts charges were filed against him (with a 96-0 vote in the Senate to sustain the charges.)  In his Senate Report about, he points out that in 2013, 80% of all revenue from advertising escort services in the United States was believed to have been generated by, and that according to the National Center for Missing and Exploited Children (NCMEC), 71% of the alerts they receive from members of the public about possible sex trafficking of underage persons has a nexus.  The report also points out that American Express, Visa, and MasterCard refuse to allow their cards to do business with, due to their illegal or "brand damaging" activities.  Although Backpage claims that 120 of its 180 employees do nothing but edit and filter ads on the site, NCMEC has documented 400 cases in 47 states of children being trafficked via

(196 report from Portman/McCaskill)
Although the main body of the report is only 33 pages, the 196 page report from Senators Porter and McCaskill contains a great deal of additional interesting reading, if this is a topic of interest.  One document that is cited second-hand is a report by researcher Danah Boyd called "Combating Sexual Exploitation Online: Focus on the Networks of People, not the Technology."  I agree, focusing on the people is a key, but does that mean we continue to allow our children to be advertised in the meantime?

 Statements issued after the Arrest of's CEO:

 One Example Sex Trafficking Case

In this case, announced 05OCT2016, a group smuggled sex workers in from Thailand to the United States and kept each woman confined in a house of prostitution until they were able to pay off their "bondage debt" of between $40,000 and $60,000.  Hundreds of women were held in this way.  Each "house manager" would choose the best way to advertise the women, but many chose the websites and

Toolsmith Release Advisory: Malware Information Sharing Platform (MISP) 2.4.52

7 OCT 2016 saw the release of MISP 2.4.52.
MISP, Malware Information Sharing Platform and Threat Sharing, is free and open source software to aid in sharing of threat and cyber security indicators.
An overview of MISP as derived from the project home page:
  • Automation:  Store IOCs in a structured manner, and benefit from correlation, automated exports for IDS, or SIEM, in STIX or OpenIOC and even to other MISPs.
  • Simplicity: the driving force behind the project. Storing and using information about threats and malware should not be difficult. MISP allows getting the maximum out of your data without unmanageable complexity.
  • Sharing: the key to fast and effective detection of attacks. Often organizations are targeted by the same Threat Actor, in the same or different Campaign. MISP makes it easier to share with and receive from trusted partners and trust-groups. Sharing also enables collaborative analysis, preventing redundant work.
The MISP 2.4.52 release includes the following new features:
  • Freetext feed import: a flexible scheme to import any feed available on Internet and incorporate them automatically in MISP. The feed imported can create new event or update an existing event. The freetext feed feature permits to preview the import and quickly integrates external sources.
  • Bro NIDS export added in MISP in addition to Snort and Suricata.
  • A default role can be set allowing flexible role policy.
  • Functionality to allow merging of attributes from a different event.
  • Many updates and improvement in the MISP user-interface including filtering of proposals at index level.
Bug fixes and improvements include:
  • XML STIX export has been significantly improved to ensure enhanced compatibility with other platforms.
  • Bruteforce protection has been fixed.
  • OpenIOC export via the API is now possible.
  • Various bugs at the API level were fixed.
This is an outstanding project that will be the topic of my next Toolsmith In-depth Analysis.

Cheers...until next time.

Wrong About Conferences, part 3

Thought I’d get tired of this topic?  No way, I’m just getting warmed up.

Today’s installment continues on the events themselves:

A lot of people complain about the commercialization, the sales pitches, the circus-like atmosphere of some vendor areas.  I’m not a big fan of these things myself (OK, I loathe them), I prefer to engage with vendors in a rational manner- but whether you are buying antivirus, SIEM, a new car, or a washing machine, expect the sales hype.  If you are like me you’ll ignore the excesses and gravitate towards the companies who bring engineers and maybe even support personnel to accompany the sales and marketing teams  to shows so that they can answer hard questions and help existing customers.  And if you aren’t buying, or curious about the tech, avoid those parts of the events altogether (or as much as the venue allows).

The same events which have the big vendorfests are often the best for meeting people for quiet meaningful conversations- not at the show but nearby, away from the mayhem.  If thousands of people go to the event, there may be folks there you want to talk to, you don’t have to meet at the conference.  If you are going to do this, make appointments.  You will not just run into folks and have time to chat.  And “I’ll meet you in the lobby” isn’t good enough, especially at sprawling complexes like the Moscone Center in San Francisco, the Las Vegas Convention Center, and other huge venues.

The flip side of over commercialization are the community events with little or no advertising and sales.  They are a great relief to many of us who suffer the excesses at commercial shows, but they don’t generate leads for the sponsors so it can be hard to pull in the funding needed for the event.  These events often get funded primarily through ticket sales because someone has to pay.  A lot of companies will provide sponsorship for visibility and the good of the community, but there are a lot of community conferences and not enough money for all of them.

The realms of for-profit, not-for-profit, and non-profit are too convoluted a topic for this series, bet whether people want to make money from an event or not, they want people to like the event.

It is also worth mentioning the size of events.  Everyone want to go to the cool events, and so some grow until they aren’t what they used to be, and a lot of folks complain about this.  When I hear such complaints I am reminded of what the sage Yogi Berra said many years ago about Rigazzi’s in St. Louis:

“Nobody goes there anymore, it’s too crowded”

But if events cap attendance and demand continues to grow they get accused of being exclusionary by some.  What’s a conference organizer to do?

You’ll note I’ve avoided naming specific events, although I’m sure most of you have assigned names to several things I’ve mentioned.  I would, however, like to use one specific group as an example, an example that could be applied to many other groups and events.  DC303, the Denver area DEF CON group, is well known and very active, and I’ve heard them accused of being “cliquish”  and excluding people from activities and events.  I would like to make two points abut DC303 (note, I am *not* a 303 member):

First, as with most organizations, some things are limited to members.  I can’t expect to toss my kayak in the bay and be welcomed down at the yacht club.  Some things are more open than others- and some do require an invitation, which leads to my second point:

My first interaction with the 303 crew was in July of 2009, at the first BSides Las Vegas.  I knew almost no one other than from a few online exchanges, they certianly didn’t know me.  And it didn’t matter, I showed up and got to work as did several others- and many of us became friends.  That’s it, three simple steps: show up, participate, and be accepted.  If you skip step two you probably won’t make it to step three.  This applies at your local LUG or ISSA chapter as much as to 303 or pretty much any other entity.

Next week I’ll change topics a bit and babble about what’s wrong with presentations, speakers, and who knows what else.



Wrong About Conferences, part 2

Today let’s start with a look at the conferences and events themselves.  One of the cyclical things I see is dismissing events people don’t like as irrelevant or worse.

“The big commercial cons are irrelevant…” as tens of thousands of people go to them, learn, share and yes, do the business of InfoSec.  The business of InfoSec, it’s so ugly and dirty, oh, and pays tens of thousands of us a living while funding an amazing amount of research.  Maybe they aren’t the places for cutting edge research, especially offensive security stuff, but that’s not their core audience.

Are there excesses? Sure there are.

Are they valuable to a lot of people?  Of course they are.

And very few people are forced to go unless they are paid to do so.

Don’t like it?  Not your scene?  Cool, don’t go.


“That’s just a hacker con, full of criminals…” as thousands or even tens of thousands of people gather to learn, share, and (gasp) maybe even do a little business.  Yeah, we’re all a bunch of criminals, right.  No, almost all of us at hacker cons are trying to make the world more secure.  You may disagree with some methods and opinions, but hacker cons help make us more secure.  Some may not be the best places to learn a lot about policy and compliance issues, or securing global enterprises, but that’s not what they’re about- and some “hacker” cons do cover these topics well.

Are there excesses? Sure there are.

Are they valuable to a lot of people?  Of course they are.

And very few people are forced to go unless they are paid to do so.

Don’t like it?  Not your scene?  Cool, don’t go.

Fifty years ago buffalo Springfield sang “Nobody's right if everybody's wrong”, and that sums up the way I feel about a lot of the con noise, hype, and drama.  Find the events that work for you, contribute to making them better, and avoid the ones that don’t work for you.

There are plenty of things I don’t like about a lot of events, I’m a cranky old man.  I do, however, understand that different events serve different needs and audiences.  That doesn’t excuse hype, lies, and bullshit but no event has a monopoly on that.

More on events in the next few posts.



Everyone is wrong about conferences

In the past couple of years there have been many blog posts and articles on the topics of what’s wrong with InfoSec and hacker conferences, which events are or are not relevant, and what’s wrong with the talks and panels at those conferences.  A lot of good points have been raised, and some great ideas have been floated.file00029400867

But they are all wrong.

Many of them aren’t just wrong, they’re also symptomatic of some of the things wrong with InfoSec, a failure to understand the importance of context and perspective.

Let’s start with this simple fact:

Your experience is unique, it is not not universal.  Your perspective is therefore not a universal perspective.

As with anyone offering The One True Answer to any question, allow me to suggest that It Isn’t That Simple.

In upcoming posts I’ll dig into a few of theses topics, not to give The One True Answer, but to share some of my experiences and perspectives, and float a few ideas of my own.  I don’t claim to be an expert on conferences or presentations (or much of anything else), but I am and have been involved in a lot of conferences- as an attendee, participant, program committee member, organizer, volunteer, vendor booth staff, speaker, and even bartender.  I also participate in events large and small, commercial and community, business- and hacker-centric.

And I have opinions.  You may have noticed.

Stay tuned.



How to encrypt your Facebook messages with Secret Conversations

Good news, privacy enthusiasts: Facebook’s one-on-one encrypted messaging feature called Secret Conversations is now live for all Android and iOS users. 

Secret Conversations allows Messenger users to send end-to-end encrypted messages to their Facebook friends. There are a few caveats, however. First, it only works on a single device. Facebook says it doesn’t have the infrastructure in place to distribute encryption keys across your phone, tablet, and PCs.

secret conversation ios

A beta version of Secret Conversations on iOS.

To read this article in full, please click here


DerbyCon was fantastic again this year, with talks from some of the best and brightest in NetSec. If you're not familiar with it, it's been held each year in September in Louisville, Kentucky since 2011. Admission to the conference (3 days) is only $175.00, and there are (relatively) inexpensive training classes held the previous two days before the con. If you've never been to a hacker conference, I highly recommend DerbyCon. The atmosphere is very friendly and helpful, and even someone brand new to NetSec can find plenty to learn and participate in.There is a lock pick village, a hardware hacking village, a SOHO router hacking room, a Capture The Flag contest and lots more, as well as official parties Friday and Saturday nights. This was my fifth year attending, and it gets better each time.
All the talks are recorded and available on Adrian Crenshaw's web site. This years talks are at:

RIG evolves, Neutrino waves goodbye, Empire Pack appears

  Neutrino waves Goodbye

Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware.

Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016

RIG += internal TDS :

Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]
I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me)

Picture2: Blackhole - 2012 - Internal TDS illustration

but disappeared from the market with the end of Nuclear Pack

Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustration

and Angler EK

Picture 4 : Angler EK - Internal TDS illustration

This is a key feature for load seller. It is making their day to day work with traffic provider far easier .
It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.

Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country).

Picture 5: A Sutra TDS in action in 2012 - cf The path to infection

RIG += RC4 encryption, dll drop and CVE-2016-0189:

Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.
A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189

Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo

Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.

Neutrino waves goodbye ?

On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :
“we are closed. no new rents, no extends more”
This explains a lot. Here are some of my last Neutrino pass for past month.
Picture 8: Some Neutrino passes for past month and associated taxonomy tags in Misp

As you can see several actors were still using it…Now here is what i get for the past days :
Picture 9: Past days in DriveBy land
Not shown here, Magnitude is still around, mostly striking in Asia

Day after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground.

Picture 10: Last banner for Neutrino as of 2016-09-16

Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.
Side reminder : Neutrino disappeared from march 2014 till november 2014

A Neutrino Variant

Several weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino.

Picture 11: Neutrino-v pass on the 2016-09-21

Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits

Picture 12: Neutrino-v flash ran into Maciej ‘s Neutrino decoder
Note the pnw26 with no associated binary data, the rubbish and additionalInfo

A Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523

Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api

 function k2(k) {
var y = a(e + "." + e + "Request.5.1");
y.setProxy(n);"GET", k(1), n);
y.Option(n) = k(2);
if (200 == y.status) return Rf(y.responseText, k(n))
Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)

I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it)

Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079x
The actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.

Empire Pack:

Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised.

Picture 15: King of Loads - Empire Pack Panel

Some might feel this interface quite familiar…A look a the favicon will give you a hint

Picture 16: RIG EK favicon on Empire Pack panel

Picture 17: RIG Panel

It seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.
I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections.
RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, I don’t know. I am aware of 3 variants of the API to RIG
  • api.php : historical RIG
  • api3.php : RIG with internal TDS [ 2016-10-08 :  This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]
  • remote_api.php : RIG-v
But Empire Pack might be api3, remote_api, or a bit of both of them.

By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there.   :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing)


Let’s just conclude this post with statistics pages of two Neutrino threads

Picture 18: Neutrino stats - Aus focused thread - 2016-07-15

Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09

We will be known forever by the tracks we leave
Santee Sioux Tribe

Some IOCs

2016-10-01u0e1.wzpub4q7q[.]top185.117.73.80RIG-E (Empire Pack)
2016-10-01adspixel[.]site45.63.100.224NeutrAds Redirector


Thanks Malc0de, Joseph C Chen (Trendmicro), Will Metcalf ( EmergingThreat/Proofpoint) for their inputs and help on multiple aspect of this post.


2016-10-03 :
Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos.
Added explanation about the IP whitelisting on RIG API (it was not clear)
2016-10-08 :
Updated with gained information on Empire Pack
2016-11-01 :
RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4.

RIG panel
The only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern)
2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)

RIG-E Behavioral
RIG-v has increased filtering on IP ranges and added a pre-landing to filter out non IE traffic.

2016-12-03 RIG-v Pre-landing

Read More

RIG’s Facelift - 2016-09-30 - SpiderLabs
Is it the End of Angler ? - 2016-06-11
Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-01
Hello Neutrino ! - 2013-06-07
The path to infection - Eye glance at the first line of “Russian Underground” - 2012-12-05