Gray Matter Hacking

Some of the most problematic attacks on the Internet today are those that target people directly via the applications they use. These attacks circumvent the best encryption algorithms and authentication schemes by exploiting people's tendency to trust certain pieces of information. For example, if an attacker gets a person to trust the source of certain malicious software, or bogus passwords or encryption keys, the attacker can bypass even the most sophisticated security mechanisms. It can...

Detecting and Reacting to the Dumador Trojan

In recent years, malware authors have elevated the stakes in computer security. With a rich target environment provided primarily by unpatched Windows systems with broadband connectivity to the Internet, the damaging effects of malware designed specifically to gather financial and other personal data can be enormous. The Dumador trojan is malware that contains both a keylogger (for collecting and transmitting sensitive information typed on a keyboard back to an attacker), and a backdoor server...

N D Ex

And DROP rule, 46 for SSH connections, 23 ACCEPT target, 12 access directive, for fwknop server, 242 ACK scan, 64 ack Snort rule option, 158, 159 acknowledgment values, inclusion in configuration settings, 138-139 FIN scan response, 141-142 maliciously spoofing scan, Nmap version scan, 141 SYN scan response, 139-140 UDP scan response, 140-141 integrating with third-party tools, 143-144 vs. intrusion detection, 131-133 psad vs. fwsnort, 198-199 trade-offs, 133-134 Address Resolution Protocol ARP...

Busting Metasploit Updates with fwsnort and psad

Armed with our new Snort rule, we can use fwsnort and psad to identify and stop the SSL sessions initiated by the svn update or msfupdate commands. NOTE Our rule would not stop other methods of updating Metasploit such as using rsync over SSH against an external machine with a previously updated database, of course. In addition, we don't deploy fwsnort or psad responses that could interfere with basic DNS lookups or web requests to metasploit.com unless an SSL session is seen first. As...