tag:blogger.com,1999:blog-4088979.post4200731209084661442..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Managing and Monetizing VictimsRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4088979.post-74091056970379971962009-06-16T06:38:15.923-04:002009-06-16T06:38:15.923-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36679602422805337732007-07-21T19:03:00.000-04:002007-07-21T19:03:00.000-04:00I'd like to hear how many of you predicted this wo...<I>I'd like to hear how many of you predicted this would happen before the technique was reported by the Honeynet Project this month. Of those that say "I knew," did you know about it a year ago, when it was first detected by the Honeynet Project? And if you have known about it or predicted it, what did you or your security team do to detect and/or mitigate the attack?</I><BR/><BR/>I first heard about the technique at DEF CON 12 (2004). No further comment.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-79472700035697235582007-07-21T18:22:00.000-04:002007-07-21T18:22:00.000-04:00So I'm a little confused. How would this affect m...So I'm a little confused. How would this affect my business? Let's say I run a little blog, call it emergentchaos.com, and pretend I ran ads.<BR/><BR/>Why should I care if someone's botnet is running around doing this?<BR/><BR/>I see why botnet fighters care, but assuming I'm uninfected, and not being DOS'd, why does this impact my org?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-40457275664958187192007-07-20T16:35:00.000-04:002007-07-20T16:35:00.000-04:00To Richard's point about preparedness, the Storm p...To Richard's point about preparedness, the Storm p2p botnet, as described in the Honeynet paper, is fairly easy to detect with NSM because the traffic is so irregular. Most p2p clients will connect to a handful of other nodes to get server lists, etc. Machines compromised by the Storm malware contact thousands of peers in a very short time and end up sticking out like a sore thumb on a monitored network.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-30066049551001396172007-07-19T20:27:00.000-04:002007-07-19T20:27:00.000-04:00While it may seem like a new concept for commercia...While it may seem like a new concept for commercial, or open source 'hacking' tools, botnets, etc. this technique has been used for years in the underground hacking scenes. Attackers would use comprimised systems as 'jump' points. They would also social engineer their way into a corporate system, or use a virus/worm that would connect back to an IRC channel and use those to increase their foothold into the corporate networks.<BR/><BR/>It is an old technique added to new technologies. It is definitly a concern as the attacks become ever increasing in sophistication, evasion, and as cyber crime becomes more organized.<BR/><BR/>I feel ransomware is still not getting the attention that it needs. I don't think corporations are taking it seriously enough. They still have the attitude that "it won't happen to me" and if and when it does happen, they usually don't report it. Very good articles though!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-85690006096822163532007-07-19T15:26:00.000-04:002007-07-19T15:26:00.000-04:00Meterpreter's portfw functionality is referred to ...Meterpreter's portfw functionality is referred to as <I>pivoting</I>. There are other names for it. CORE invented the term for their techniques in their syscall proxying backdoors, which ImmunitySec's MOS DEF is based on, which in turn - Meterpreter is based on.<BR/><BR/>All three major exploitation engines include this ability, and I'm not even aware of other exploitation engines besides the two commercial and one open-source project.<BR/><BR/>There is a very robust implementation of pivoting called <A HREF="http://o0o.nu/~meder/index.php?pg=pbounce" REL="nofollow">pivoting bouncer</A>, or "pbounce".<BR/><BR/>The web application security equivalent of pivoting would be something like <A HREF="http://ha.ckers.org/blog/20070710/xss-proxy-tunnelling/" REL="nofollow">XSS proxy tunneling</A>.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.com