Sharing my presentation on "BLOCKCHAIN BASICS & CRYPTOCRIMES CASE TAKES",taken at CAPT(Central Academy of Police Training),Bhopal on 31Aug 2019. The presentation after building upon basics of Blockchain and Cryptocurrencies takes on few known case studies including the Mt Gox Exchange theft and the role played by Kim Nilsson
Today got an opportunity to speak at Cyber Security Summer Internship 2016 Gurgaon Police being conducted under the aegis of Shri Rakshit Tandon.Below is the presentation that I presented before the attending audience on Hardware Trojans.
1. null is India's largest open security community. It is registered as a
non-profit society in 2010 and has been active since even before that.
null is about spreading information security awareness. Activites such as null Monthly Meets, null Humla, null Bachaav, null
Puliya, null Job Portal are for the overall cause of spreading awareness on the evolving cyber threat.
2. In my continued association with the community I had recently given a presentation on Hardware Trojans which is shared below for info.
1. Typically analyzing malware requires a great deal of knowledge in computers and expects basic knowledge of terminal commands,configuring the tool correct and right usage of advanced tools. As seen in my last post about Cuckoo usage and configuration,it is actually complex and confusing at times,now what if one can use Cuckoo without doing anything like that..no installation,no configuration,no testing and bugging...one can directly use Cuckoo directly for a sample file analysis.As we realize the power online tools,its becomes actually easier for anyone to analyze a file’s behavior by simply uploading the file to the free on-line services for automated analysis and review the detailed and yet easy to understand report.This way not only the analyst gets a quick report and analysis but more importantly he gets a variety of reports which can be compared and analyzed further leading to expedited pace of understanding and clarity of the malware architecture and working.Here I list out my choices of best on-line file/malware analyzers that can be used for free with address and screenshots of sample usage....
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.In only a few minutes ThreatExpert can process a sample and generate a highly detailed threat report with the level of technical detail that matches or exceeds antivirus industry standards such as those normally found in online virus encyclopedias.
Wepawet is a free service, for non-commercial organizations, to detect and analyze web-based threats. It currently handles Flash, JavaScript, and PDF files.But the upload size of the file is limited to 2 Mb and below.
IObit Cloud is an advanced automated threat analysis system. It uses the latest Cloud Computing technology and Heuristic Analyzing mechanic to analyze the behavior of spyware, adware, trojans, keyloggers, bots, worms, hijackers and other security-related risks in a fully automated mode
Comodo Instant Malware Analysis is one of the easier to use and
understand online sandbox service wherein no submission form is required
nor an email address nor solving a CAPTCHA code. Simply browse the file that
you want to analyze in Comodo sandbox, tick the box to agree with their
terms and click the Upload file button. The file will then be analyzed
in real time and the report page will continuously refresh by itself
until the analysis has been completed.
Vicheck.ca is an advanced malware detection engine designed to decrypt and extract malicious executables from common document formats such as MS Office Word, Powerpoint, Excel, Access, or Adobe PDF documents. ViCheck will detect the majority of embedded executables in documents as well as common exploits which download malware from the internet.ViCheck is a free service designed to help the public detect new sophisticated malware which is often difficult to detect with common commercial anti-virus programs.
Anubis is another popular online service to analyze unknown Windows executable files. Four report formats (HTML, XML, PDF and Text) are available to download once the analysis has been complete.
GFI SandBox is meant for OEM or cloud providers and fortunately they’ve created a webpage that offers free analysis called ThreatTrack which uses their sandbox technology. ThreatTrack supports analyzing any Windows executable file, office documents, PDF files and even flash ads that is mostly not accepted by other online sandboxes.
Joe Sandbox is the automated malware analysis system which implements any state of the art program analysis technology from coarse to fine grained including dynamic, static and hybrid. Joe Sandbox’s analysis spectrum enables to discover any behavior including hidden or obfuscated parts.
Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic.
The Xecure Lab Scanner (XecScan) gives the security community and general public on-demand analysis of any suspicious document file where no installation or registration is required to enjoy the service. Though it’s free, XecScan is capable of finding advanced malware, zero-day, and targeted APT attacks embedded in common file formats.
Malwr is a free malware analysis service and community launched in January 2011. One can submit files to it and receive the results of a complete dynamic analysis back.Malwr is operated by volunteer security professionals with the exclusive intent to help the community. It's not associated or influenced by any commercial or government organization of any sort.Malwr is mainly based on an open source malware analysis tool called Cuckoo Sandbox as explained in my last post at http://anupriti.blogspot.in/2015/09/cuckoo-sandboxautomatic-malware.html
In fact as you google,you will find thousands of links and websites offering free online malware analysis but one has to be careful too while submitting any file to such sites.......so happy analyzing for now.....
1. Cuckoo Sandbox is a malware analysis system tool which allows you to throw any suspicious file at it and in a matter of seconds it will provide you back some detailed results outlining what such file did when executed inside an isolated environment.It is written 100% in Python, the architecture is very interesting and it is based on a virtualisation engine like Virtual box to maintain a “fresh” pc always at hand to run the malware called the client, inside this client it is run as an agent that is also written 100% in Python to monitor the different calls that the malware do to the dll’s, host that try to connect, etc.The connection between the Server and the client is done through an isolated network set up by virtual box, it is configured that way in order to avoid the propagation of the malware and to communicate effectively between the client and the server to send the analysis report, infected binaries, etc.This post ahead brings you a step by step screenshot to download and configure this excellent tool,will be good for beginners in cyber security/penetration testing to play with and see results immediately.Though from the looks of this post below,the procedure looks cumbersome and complex,but I have made attempts for a naive to understand and follow up screenshot wise,any queries still will be most welcome :
WHAT IT DOES PRECISELY?
2. Cuckoo can produce the following types of results:
- Files being created, deleted, and downloaded by the malware during its execution
- Network traffic trace in PCAP format(as we get with wireshark and ethreal)
- Traces of win32 API calls spawned by the malware
- Memory dumps of the malware processes
- Screenshots of the Windows desktop as it happens during execution of the malware
- Full memory dumps of the machines
KINDS OF FILES FOR ANALYSIS
3. The following kinds of files can be analysed and put for check in cuckoo :
- Adequate RAM around 4 GB in all with the parent machine.
- i3 processor and above will help u lessen wait and make u patient
5. Python comes preinstalled with the Ubuntu Desktop,but we need some extra python libraries as follows :
Pydeep
Sqlalchemy
Bson
DPKT
Yara
MAEC Python bindings
Jinja2
Magic
Chardet
Pymongo
tcpdump
mongodb
Volatility
Libvirt
Bottlepy
Django
Pefile
Step 1
Firstly we will install all the above mentioned libraries vide a single command.You need to slect the below text and paste as it is in the terminal | sudo apt-get install mongodb python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet tcpdump -y
Besides above,there are other python libraries that need PIP for installation.Pip is an alternative to Easy Install for installing Python packages and is largely recommended when used in virtual environments.
Two additional software Yara and Pydeep too need to be installed and the cuckoo documentation states these need to be installed separately, however Yara is provided in the Ubuntu universe repository. but before installing Pydeep , we need to install some dependencies with the following command line to install the following :
Cuckoo requires Yara 1.7 or higher and to install yara,run the following command
sudo apt-get install yara -y
Pydeep depends on ssdeep 2.8+ and ssdeep needs to be compiled from source and likewise for Pydeep. Before doing so, a few packages are needed. The following commands will work :
| sudo apt-get install build-essential git python-dev -y | wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.12/ssdeep-2.12.tar.gz/download -O ssdeep.tar.gz | tar -xf ssdeep.tar.gz | cd ssdeep-2.12 | ./configure | make | sudo make install | ssdeep -V | 2.12(output for above)
We also need to install “git’:
sudo apt-get install git
Now cd to the directory Download, clone the pydeep project and install manually:
git clone https://github.com/kbandla/pydeep.git
cd pydeep
sudo python setup.py install
Install Yara
sudo apt-get install libtool automake
Then download yara form the git repository and install it:
Now we need to install yara-python with the following commands:
cd yara-python
sudo python setup.py install
Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including XP, 2003 Server, Vista, Server 2008, Server 2008 R2, Seven, 8, 8.1, Server 2012, and 2012 R2 but in recent past now on supports Linux memory dumps in raw or LiME format and include 35+ plugins for analyzing 32- and 64-bit Linux kernels from 2.6.11 - 3.16 and distributions such as Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake.VOLATILITY is to be installed next,we need the following commands:
Where user:usergroup is the user used to login to the ubuntu machine and the group is the group to which user belong
Now we shift our attention to configuring networks for Virtual Box and parent machine.So I assume you have installed Windows 7 in virtual box with Adobe,Microsoft Office and a Mozilla/Chrome browser.
Configure as shown next below :
Vide the above,the two IP addresses I have configured to ping are :
Parent/Host OS : 192.168.56.1
Virtual Windows Machine : 192.168.56.101
Just ping from each IP to other,if they ping all is set now to work ahead.
and one important step that remains is to configure the conf files in the cuckoo configuration,Few important configuration files that we effect to work with are mentioned below with brief functionality:
cuckoo.conf : This configuration file contains information about the general behavior and analysis options in Cuckoo Sandbox. machinemanager.conf : This file holds the information about your virtual machine configuration: Depends on the name of virtualization that we used. processing.conf : This file is used for enabling/configuring the processing of modules. reporting.conf : This file contains information about reporting methodologies.
There are a few things required to be changed in the configuration files as follows:
[I used gedit to edit and make amends to these conf files]
/opt/cuckoo/conf/cuckoo.conf
[cuckoo] memory_dump = on [resultserver] ip = [ip address of the vboxnet0 interface, to check it issue on terminal ifconfig vboxnet0, usually 192.168.56.1]
/opt/cuckoo/conf/virtualbox.conf
[cuckoo1] label = [Name of the Windows guest virtual machine as configured on VirtualBox] ip = [ip address configured i the windows guest] snapshot = [the name of the snapshot taken with virtual box] /opt/cuckoo/conf/memory.conf [basic] delete_memdump = yes
/opt/cuckoo/conf/processing.conf
[memory] enabled = yes [virustotal] enabled = yes key = [key of the virus total API, could be obtained registering in http://www.virustotal.com
/opt/cuckoo/conf/reporting.conf
[maec40] enabled = yes [mongodb] enabled = yes
Now we can run Cuckoo after all the hardwork :
run the command as shown below and you should get the screen as below :
sudo python /opt/cuckoo/cuckoo.py
Now we need to do a submission of a file vide a script as shown below :
1. WhatsApp,the exceedingly renowned application that has actually swung around the way we all chat, talk, share and do so many things has so many PROs but over this small period of time since its inception it has also been the quarry of cyber criminals. With a user base as strong as 900 million active users in Apr 2015,any vulnerability in the architecture cosmos is destined to be a remunerative lure for any cyber criminal. A recent vulnerability in the form of simply sharing a vCard with other user discovered by Check Point security researcher Kasif Dekel has come to the fore. It involves simply sharing the seemingly guileless vCard with the victim and as the victim clicks the vCard, his task his over since rest will be done in the background by the malicious code terra incognita to the user. This vCard actually exists as an executable file and gets into action the moment it gets clicked by the user in the application.
RESOLVED by update from WhatsApp
2. WhatsApp affirmed and recognized the security egress and have released the fix in all versions greater than 0.1.4481 and blockaded that especial lineament.
How it Happens?
3. To activate the code, Kasif Dekel ascertained an attacker could just inject the command to the name attribute of the vCard file, separated by the ‘&’ character. When executed, it will attempt to run all lines in the files, including controlled injection line. Once such a contact is made, all an attacker has to do is share it via the normal WhatsApp client.
What made the application Vulnerable?
4. WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.Thus the default action runs for the vCard for running the code whilst being understood as sharing the contact details.
What can it do ?
Once the code is activated,it is bound to take complete control over the target machine and will definitely monitor
the user’s activities and use the target machine to spread malicious malwares and viruses ahead.
Timelines by CHECKPOINT on the vulnerability
August 21, 2015 – Vulnerability disclosed to the WhatsApp security team.
August 23, 2015 – First response received.
August 27, 2015 – WhatsApp rolls out fixed web clients (v0.1.4481)
September 8, 2015 – Public disclosure
1. Cloud Computing is emerging amongst all the bombilate words of
acclivitous technologies as the most prodigious maturations in the
chronicles of computing. As it still takes time to settle, a new
egressing challenge as felt whilst its implementation across has been
a relatively more newfangled field known as Cloud Forensics. Today as
Cloud still needs time to mature and offer its full exploitation, the
even newer subfield Cloud Forensics is a carking cause to negate
immediate acceptance of cloud computing with open arms. The research in
this field is still in parturient stages to say from perspective of the
way cases and incidents are being handled on ground today.
2. My paper got published in "Cyber Times International Journal of Technology & Management".The "Cyber Times International Journal of Technology & Management" (CTIJTM) was launched in 2007 by "Cyber Times - PRESS" in order to promote Latest Research and innovations in the Area of Technology & Management.The"Cyber Times International Journal of Technology & Management" (CTIJTM) is Bi-Annual, Double Blind Peer Reviewed, International Journal with International Serial Standard Number which is available in print and online versions. It provides the new paradigms in the embryonic fields of Technology, Management, Science, Electronics, Law, Economy etc. and visualizes the future developments in the respective areas. It is meant to publish High Quality Research Papers with innovative ideas, inventions, and rigorous research which will ultimately interest to research scholars, academicians, industry professionals, etc.The paper is available at the following links : http://journal.cybertimes.in/?q=Vol8_A_P1_01
The Equation Group is a highly advanced secretive computer espionage group, suspected by security expert Claudio Guarnieri and unnamed former intelligence operatives of being tied to the United States National Security Agency (NSA). Because of the group's predilection for strong encryption methods in their operations, the name Equation Group was chosen by Kaspersky Lab, which discovered this operation and also documented 500 malware infections by the group's tools in at least 42 countries.This presentation gives an over view in brief based on the Kaspersky Report.
The smart-phones penetration in our country and for that matter any country has been seeing explosion like never before...from cheap mobiles with luring specs to high end smart-phones by Apple,Samsung,Sony etc.The growing and already a subject matter of concern in IT ie SECURITY is majoring as a serious threat in the mobile world too...like the Microsoft b70 case few years back(click here for details)....As evidenced by the latest pre-loaded malware identified called DeathRing that’s a Chinese Trojan that is pre-installed on a number of smart-phones most popular in Asian and African countries.
as evidenced by the latest pre-loaded malware Lookout identified called DeathRing.
1. There has been a series of decisive and significant reveals in past few weeks in the field of Cyber Security. REGIN, APT28, Wirelurker and now comes another important report by the name of Operation Cleaver. The report is available here.Some time about a year back in September 2013,the ping pong blame of cyber attacks between Iran-US were made public vide US carrying out proven credentials of IRAN being part of attack in their Navy room. A screen shot of a report then is seen below :
2. Now, a US cyber security firm Cylance says it has evidence to prove that the same team has infiltrated not just the Navy, but also various top companies across the globe within the past two years. This report sheds light on the efforts of a coordinated and determined group working to undermine the security of at least 50 companies across 15 industries in 16 countries.
3. Iran till date has never been considered quite as much of a serious cyber threat to the US as China and Russia have been in recent years. This could prove to be a mistake vide proofs given in this report.The report indicates that state sponsored cyber groups in Iran can be just as severe or even way ahead in terms of offered danger to few countries. Few key points of interest are mentioned below :
- Victims include companies in the oil and gas sector, the energy industry, airports and the transportation sector, government and defence, and the telecommunications and technology industries.
- Report believes all the revelations are just the tip of the ice berg and damage extends much ahead of contours identified.
- About 10 of the victims are based in the US and include a major airline, an energy company, a medical university, and an automobile manufacturer.
- Many of the other firms targeted by the group are based in Middle Eastern countries like Kuwait, the United Arab Emirates, Saudi Arabia, and Qatar. Cylance also found a significant number of victims in Canada, Germany, England, France, India, Israel, Pakistan, and Turkey.
- Unlike their Russian and Chinese counterparts, which tend to grab IP and
financial data where they can, the Iranian group has mostly avoided
stealing such data.
- The group is scoping networks and conducting reconnaissance as
if in preparation for a major assault at some point in the future.
- Technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort.
Most of us are part of various Social Engineering Sites and keep updating ourselves via status updates, pictures and tweeting small life updates. Related Privacy and Security issues in respect of these social engineering sites available is already a serious concern among users. Additionally for these all social engineering sites/applications whether accessible on a desktop or a mobile, we all are not so serious responding and interacting but that’s the difference when we see viz-a-viz LinkedIn. When it is LinkedIn…we are mostly serious…no jokes, no clips, no tagging, no personal comments, no WOWs…it’s all professional. And when most of us take it seriously, we also feed serious inputs on it. But do we take necessary precautions too?...I have mostly seen a negated curve amongst my friend circle….hardly anyone has spared time to configure LinkedIn Privacy and Security settings. In this post I bring you out basic and necessary configuration steps involved to harden your LinkedIn interface to the world.
Russia may be behind a long-standing, careful campaign designed to steal sensitive data relating to governments, militaries and security firms worldwide.This presentation based on a report made public by FireEye (report here)brings an over view of their opinion.....uploaded here just for general info to understand how its all happening in the dynamic and vibrant world of CYBER ..!!!!
An advanced piece of malware, known as ‘Regin’, has been used in systematic spying campaigns against a range of international targets including government agencies and businesses
since at least 2008 vide IT security firms Symantec and Kaspersky Lab
reports both released on 24th Nov 2014.This ppt brings you an overview
of the threat in brief.The piece of malware is unique in the sense that it's structure displays a degree of technical competence rarely seen.Stuxnet looks a decent past....with this complexity
This post brings out a brief over view of WireLurker,the first of a kind of malware family that has made the Apple to rot...never in the history of unquestionable iOS/Mac devices has such a thing been seen or heard...with such a severe beating...the ppt is based on a report made recently public by Palo Alto Networks®...
A new social Cyber threat is currently being exploited by criminals vide
using hotel Wi-Fi networks to hack the devices of business executives
with the hope of gaining access to a company's sensitive information.The
so-called "Dark Hotel" attack tricks hotel Wi-Fi users into downloading
malicious software that appears to be a legitimate software update
which actually is embedded with customised malware and trojan
droppers.....This ppt gives a brief over view of the report ex Kaspersky
Labs
This post will focus on determining the IP addresses range from the target network. Here I will explore the tools needed to achieve it.
Let's begin the process of determining the network range by opening a terminal window:
1. DMitry
(Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line
Application coded in C language.DMitry has the ability to gather as much information as
possible about a host. Base functionality is able to gather possible
subdomains, email addresses, uptime information, tcp port scan, whois lookups,
and more. The information are gathered with following methods:
·Perform an Internet Number whois lookup.
·Retrieve possible uptime data, system and server
data.
·Perform a SubDomain search on a target host.
·Perform an E-Mail address search on a target
host.
·Perform a TCP Portscan on the host target.
·A Modular program allowing user specified
modules
2. Open a new terminal window and issue the following command:
3. When finished, we should now have a text document on the desktop with filename dmitry-result.txt, filled with information gathered from the target:
4. To issue an ICMP netmask request, type the following command:
netmask -s targethost.com
5. Using scapy, we can issue a multiparallel traceroute. To start it, type the following command: scapy 6. Scapy is a powerful interactive packet manipulation program. It is able to forge
or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and
replies, and much more. It can easily handle most classical tasks like
scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace
hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).
It also performs
very well at a lot of other specific tasks that most other tools can't handle,
like sending invalid frames, injecting your own 802.11 frames,
combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on
WEP encrypted channel, ...), etc.Now with scapy started, we can now enter the following function:
ans,unans=sr(IP(dst="www.targethost.com/30", ttl=(1,6))/TCP()) 7. To exit scapy, type the following function:
1. Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. It is free of charge for personal use in a non-enterprise environment and is the world's most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey.Nessus allows scans for the following types of vulnerabilities:
- Vulnerabilities that allow a remote hacker to control or access sensitive data on a system.
- Misconfiguration (e.g. open mail relay, missing patches, etc.). - Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
- Denials of service against the TCP/IP stack by using mangled packets - Preparation for PCI DSS audits
2. This post brings you screenshots for installing Nessus in Kali Linux for home users that's the free edition I am using here :
Firstly after installing Nessus from the site,Obtain the activation code for Nessus by registering at
https://orcid.org/0000-0002-9097-2246
