Although there have been numerous articles posted, I thought I would write about my recent presentation at the RSA Conference on the subject of touchlogging.
Since many people have asked, I got the term touchlogging from this paper. I do not know if it has been used before, but I decided it was a good name for my presentation.
The idea for the project came from a penetration testing engagement for which we compared financial malware on the Windows platform with (potential) malware on mobile platforms. The goal was to find the various components that allowed the malware to capture financial data and see whether it could be moved to the mobile platforms. It was quickly realized that the key component was the keylogging mechanism.
Will you be at the OWASP Foundation’s AppSec USA event next week in New York City? If so, be sure to stop by our booth, number one, for a chance to win a Pebble Smartwatch.
And don’t miss presentations by some of SpiderLabs’ own builders, breakers and/or defenders discussing their own unique insights into application security:
Right before DEF CON, a friend of mine reached out to me to ask if I would write a crypto challenge for his CTF. While it was a busy time for me, I didn’t want to pass up the chance and so I wrote two challenges for the “Way of the Cryptologist.”
The other day at DEFCON 21 we (Daniel Chechik and Anat Davidi) gave a talk introducing a new technique for delivering exploits by utilizing popular websites, we named the technique RDI which stands for “Reflected DOM Injection”, and we explained this technique in depth during the talk.
This blog post will summarize RDI for those of you who didn’t make it to our talk and are wondering what you missed!
The RDI technique is basically meant to bypass security engines that use URL blacklisting technologies in order to detect malicious websites. It makes use of the fact that it is practically impossible to blacklist popular websites (such as Google, Yahoo, etc.), as they provide many services that the average user requires. They can, however, be leveraged into helping deliver malicious content to users; and this is where RDI comes in…
So, how does RDI work?
Just look at the face: it's vacant, with a hint of sadness. Like a drunk who's lost a bet.
—Dianne describing a zombie in the movie “Shaun of the Dead”
It’s coming. In just two weeks security pros, crackers, hackers and other interested parties will swarm Las Vegas to learn, share and let off some steam.
We feel it’s our duty to warn the uninitiated and inexperienced. As a public service, your friends at SpiderLabs offer the following tips to help you avoid the Dehydrated N00b Zombie Virus (DNZV) to which some poor souls succumb each year at Black Hat USA, DEF CON, DEF CON Skytalks and BSides Las Vegas. You’ll read tips similar to last year’s, but they’re still relevant reminders to help ensure an unscathed departure on Sunday.
Security week in Las Vegas will be here before we know it. The SpiderLabs team will be busy: talks (see a list below), a team meeting and our annual Spiders Are Fun! Party (reach out to your SpiderLabs contacts to see if you can score an invite).
Over the many years I’ve spent training various local, state, federal and law enforcement organizations on forensics methodologies, one story always sticks out in my mind as I prepare for courses. As I get organized for the upcoming Computer Forensics & Incident Response for Investigators course on July 27th – 30that BlackHat USA in Las Vegas or hear about another breach in the news, I’m reminded of the following story once again.
A certain engineer retired from his job of 37 years at a very productive factory of a very well-known company. Prior to his departure, he trained three young college graduates with engineering degrees on the ins-and-outs of the factory. Because the retiring engineer did not have a college degree his replacements quickly discounted his admonitions as the ramblings of an "old man".
So, what are we going to do to change this? One of the pieces we’ve been working on is trying to merge Lua into Ettercap. We did a presentation at Derbycon last year about how we planned to do this, and now we have some practical uses. We’re going to take a look at how to build easy to use scripts, similar to the Nmap NSE scripts, to allow manipulation and parsing of data that would otherwise require C code.
A few months ago, I was asked to present a keynote at RSA Conference 2013. This was a rather intimidating request given I was in a lineup that included Vint Cerf, Dr. Condoleeza Rice, Jimmy Wales and Andy Ellis.
For those who were not in San Francisco last week, this isn’t a small conference. There were an estimated 22,000 people at this year’s conference and the room the where the keynotes were held could have up to 5,700 people seated.
I have attended 100s of security conferences around the world. While I have seen some very insightful and interesting, the common opinion by many con-goers is that the keynotes are sometimes not all that enjoyable to watch. They are typically not technical at all and are usually a 30-40 minute monologue around a single abstract point or idea.
I very much wanted to present a talk that I would enjoy sitting and watching for 30 minutes. So I did my best to make that happen.
Back in December, I was traveling on business and after getting to my hotel rather late I turned on the television. I happened to flip to a local ABC channel and Jimmy Kimmel Live was on. I watched the first 20 minutes or so and realized that the format used on late night shows might be the perfect way to give a keynote at RSA.
When you watch a late night show, they almost always follow this format at the start of the program:
I decided to organize my keynote in the very same way:
If I would have had more than 40 minutes rather than 30, I actually thought of asking DualCore to perform as the musical guest.
Having given a TEDx talk a few months ago, I had learned from that experience that less is typically more keynote or short format presentation. I didn’t want to use dozens of slides having bullet builds and text. Instead, I started by story boarding my talk and then worked with a graphic designer to create a presentation based in Keynote that had very visual auto-building slides and even video segments when the animations were a little more complicated than Keynote could handled. Most of what you see on the screen, didn't involve me clicking a button to advance things, they did so on their own while I was speaking.
I have also learned that using speakers notes can be a bit of a crutch when speaking publicly. For some this may be scary, but once I jumped into this way of presenting it is hard to go back. I feel like I am able to be more visual in my explanations, I don’t just focus on exactly what was planned for the talk and I am able better read and connect with the audience.
If you are an experienced presenter in the security industry, take a leap of faith and try this way of presenting. You audience will thank you, and you'll have a great experience.