March 8th, 2016
James Bettke and I wrote a tool to detect attempts to escalate privileges on a Windows Active Directory domain. We read a SANS blog post suggesting an easy way to inject honeytokens into the credential cache on Windows in a way that Mimikatz or other credential-scraping tools could find it. We wrapped the idea in a server/agent model and made some tweaks - foremost being rotating the credentials per machine per day, in order to give an incident response team a timeframe and context to work from upon being alerted of an attempt to use the honeytoken credentials.
The project is available on Github, check it out here.
August 9th, 2010
So rather than take my wrecked bike to the body shop to fix the dented gas tank and bent handlebars, I decided to fix it on my own, with nothing more than body filler, spray paint, new emblems and a lot of banging and bending. Not exactly a professional restoration job, but I don’t think it turned out so bad.
January 20th, 2010
With the recently disclosed hacking incident inside Google and other major companies, much of the world has begun to wake up to what the infosec community has known for some time – there is a persistent campaign of “espionage-by-malware” emanating from the People’s Republic of China (PRC). Corporate and state secrets both have been shanghaied over a period of five or more years, and the activity becomes bolder over time with little public acknowledgement or response from the U.S. government.
June 26th, 2009
Just finished a couple of back-to-back research pieces. First, a rundown on the C&C protocol encryption in the latest Virut, then a look at a new Firefox browser hijacker that carries out a clever scheme to defraud Google’s Adsense for Search program.
Also, I’m now posting my new research to Twitter as soon as it is available for public consumption. Follow joestewart71 to get these links as soon as they are posted.
May 22nd, 2009
On April 1, 2009, while the rest of the cybersecurity world was largely focused on the Conficker worm, Senators John (Jay) Rockefeller and Olympia Snowe introduced the Cybersecurity Act of 2009. Since the hype over Conficker has died down now, I’ve had a chance to review the text of this somewhat controversial bill and add my two cents to the discussion. There are 23 sections to the bill, a few of which have raised some alarm in the infosec community.
May 21st, 2009
Last Wednesday, just after leaving work, a minivan travelling in the opposite direction turned left in front of me. The short stopping distance required, compounded with being on a curve at the time equalled me skidding sideways, tipping over and landing on the pavement. No broken bones, just some road rash, a sprained foot and ankle, and a nasty-looking bruise on my inner thigh that looks strangely like the Kawasaki logo in reverse.
Although I don’t believe in mandatory helmet laws, I wear mine pretty much all the time - also my motorcycle boots and gloves. Together, these left me a lot better off than I would have been without them.
April 17th, 2009
The 2009 RSA conference kicks off next week in San Francisco. It looks like a busy week for me - I’ll be presenting first on Tuesday, April 21st at the SecureWorks booth on the showfloor at 1:00 PM PDT. This will be a “Conficker Q&A” session. I’ll be answering questions with the knowledge I’ve gained from reverse-engineering Conficker and also from my participation in the Conficker Working Group. So, if you have any burning questions about the threat posed by the Conficker worm, drop by the booth at that time and I’ll try to answer them.
April 2nd, 2009
March 27th, 2009
If you’ve been reading any news at all on the Internet in the past week, you’ve probably heard that Conficker Armageddon is approaching, and it’s scheduled for April 1st, only a few days from now. The SecureWorks Counter Threat Unit has been receiving an increasing number of inquiries asking what one needs to do to prepare for the impending April 1st outbreak.
The truth is, there will be no April 1st outbreak, despite what some of the press stories have said so far. The only thing that will happen with Conficker on April 1st is that already-infected systems will begin to use a new algorithm to locate potential update servers. There, that’s not so scary, is it?
March 12th, 2009
Earlier this week, reports began to circulate in the media about Chinese hackers selling $200 USD iTunes gift cards online for 17.90 RMB (about $2.60 USD). It was explained that these hackers were able to acheive the remarkable feat of cracking Apple’s algorithm for generating the gift voucher codes, and were thus able to generate as many cards as they liked, all of which would be redeemable in the iTunes store.