Call for Papers: EuroSec 2010

Wednesday, November 25. 2009
admin
The next edition of the European Workshop on System Security (EuroSec 2010) will take place on the 13th of April, 2010, in Paris, France. Please find below the call for papers.

About EuroSec:
EuroSec is a new workshop associated with the Annual ACM SIGOPS EuroSys conference. The workshop aims to bring together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The focus of the workshop is on novel, practical, systems-oriented work.

Important dates:
  • Paper submission: February 7, 2010 (Hard deadline, no extensions), 5pm, PST
  • Acceptance notification: March 1, 2010
  • Final paper due: March 12, 2010
  • Workshop: April 13, 2010

Continue reading "Call for Papers: EuroSec 2010"

Posted by Thorsten Holz in admin, paper at 16:29 | Comments (2) | Trackbacks (0)

GSoC'09: Glastopf

Friday, October 23. 2009
Here an announcement regarding the end of GSoC'09:

Web sites are hacked all the time. Web application, database, and cross-site scripting vulnerabilities expose a large attack surface that can be exploited to, among others, deface the web site, send spam, convert web site into bots, and serve drive-by-download attacks. Glastopf is a low-interaction honeypot that emulates a vulnerable web server hosting many web pages and web applications with thousands of vulnerabilities. Glastopf is easy to setup and once indexed by search engines, attacks will pour in by the thousands daily. Glastopf has been developed as part of the 2009 Google of Summer Code by student Lukas Rist (and mentored by me). It can be downloaded from the Glastopf trac site at http://trac.glastopf.org/trac. More information on Glastopf can be found on the project site at http://glastopf.org/.
Posted by Thorsten Holz in honeynets at 11:17 | Comment (1) | Trackbacks (0)

AV Tracker

Thursday, October 22. 2009
CWSandbox
A couple of days ago, the website "AV Tracker" went online, which publishes information about various automated analysis systems. The idea is that the attacker uploads a binary to an analysis system, waits for the sample to be executed, and then the binary phones home some information to a server under the control of the attacker. The collected information is then published at "AV Tracker", exposing information about the analysis systems. Besides some well-known AV companies, also CWSandbox and Anubis were affected.

We analyzed the binary and found that it sends a simply HTTP request, in which all extracted information is encoded. An example for an analysis report generated by one of the samples is http://anubis.iseclab.org/?action=result&task_id=361b5a8ee7235954252b02d33b3a7d24. This can be defeated by blocking access to the reporting server or by regularly changing the IP address of the analysis systems, but at the end this will be some kind of arms race again.

Some other interesting information is also embedded in the binary. When extracting the strings from the sample, the following text becomes visible (some information is hidden by dots):
This is Peter Kl....... fuck ...... fuck the world fuck you all!
I was once working with ...... and was a white hat, now I am the worst mean motherfucker black hat and I am selling the source code of ...... .. :D
I am with the SinowalWhistler developers, funny days, aren't ;) and fuck ..... they don't have no idea :D bitches

A related article was also published today at http://www.viruslist.com/en/weblog under the title "A black hat loses control".
Posted by Thorsten Holz in CWSandbox, malware at 12:49 | Comments (2) | Trackbacks (0)

$645.00 ...

Thursday, September 10. 2009
... is the amount I am worth in the underground economy, at least according to Symantec's new website on which they advertise (in a somewhat entertaining way) Norton 2010 products. Here are the results when I take the risk assessment:
[...] In the underground economy, you're really worth about $645.00. And that's on a good day.
Your entire digital life could go on the auction block for as little as $10.96, whether you like it or not.

How they compute these numbers and on what methodology / measurements this is based remains completely unclear, after all it is just some kind of marketing. But the movies are funny, perhaps they can serve as some kind of security awareness campaign. Main drawback is that the website is almost completely built on top of Flash and JavaScript - how about not using all these techniques next time? In some recent measurements we found that the vast majority of web surfers still have an unpatched version of Flash installed, better teach them to regularly update their system next time...
Posted by Thorsten Holz in malware at 23:27 | Comment (1) | Trackbacks (0)

Server Move

Sunday, August 30. 2009
admin
During the weekend the blog moved to another server. I hoped the transition is now complete and everything is still working as expected. If you observe broken links or similar glitches, please let me know at thorsten.holz [at] gmail.com.
Posted by Thorsten Holz in admin at 09:09 | Comments (0) | Trackbacks (0)
« previous page   (Page 6 of 13, totaling 61 entries) » next page