Websense Security Labs @ ToorCon San Diego.
The team wearing the standard uniform at hacker conferences: BLACK
Archive for the ‘security research’ Category
ToorCon 2008
Wednesday, October 1st, 2008JavaScripherTution in{j|f}ection
Monday, June 16th, 2008This is a cross-post from my company‘s blog that I posted today.
The injection of malicious <script src="malicious.js"> JavaScript tags on a massive scale into everyday popular and reputable Web sites, commonly visited by the casual surfer at home (and at work), has been the trend. Today, as my team and I here at Security Labs made our routine rounds around the block to spy on what the bad guys are up to next, we discovered a somewhat weak but interesting piece of malicious code, whose techniques date back to the early days of encryption – the substitution cipher.
Wikipedia has a good introduction on this topic:
In cryptography, a substitution cipher is a method of encryption by which units of plaintext are substituted with ciphertext according to a regular system; the “units” may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing an inverse substitution.
Doing a character for character substitution, using a keyword of “MALCODE“, we get:
Plaintext: Â ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ciphertext: MALCODEHIJKFBNGPQRSTUVWXYZ
Using that mapping, we can encrypt a message from a hypothetical botnet master to his/her herd of bots from this:
LAUNCH THE DDOS ATTACK NOW
to this:
FMUNLH THO CCGS MTTMLK NGW
It’s a very trivial algorithm, and extremely weak in terms of the protection it provides (by today’s standards), but it is definitely good enough to conceal the true message from casual prying eyes. This was certainly as good as bulletproof during the days of Julius Caesar (wow, we’ve come a long way!).
(more…)
Volatile memory hacks circumvents encryption filesystem!
Thursday, February 21st, 2008This is pretty darn cool. I never thought of immediately taking RAM out and freezing it. The fading picture of the graphic as the capacitors lose their charge is also pretty cool. You read the theory of why RAM is volatile memory but you don’t actually get to see it in action (or at least, I didn’t!)
Coverage from news.com
Google IE toolbar 404 “hijacking”
Thursday, February 14th, 2008Here is what I did for Valentine’s day at work.
Happy Valentine’s, and don’t let the Google IE toolbar 404 hijackers bite 
WSL: Parking Page Poker Face
Friday, January 25th, 2008Yeah, so I’ve been busy and haven’t posted for a while here. But today, I posted a blog for work, so I’m cross-posting it here. Read: recycling information because I am lazy. That’s right, I’ve said it.
What’s in a domain parking?
Wikipedia defines this practice as “an advertising practice used primarily by domain name registrars and internet advertising publishers to monetize type-in traffic visiting an under-developed domain name. The domain name will usually resolve to a page containing relevant advertising listings and links. These links will be targeted to the predicted interests of the visitor and may change dynamically based on the results that visitors click on.â€
Or in normal people jargon, random marketing material that is mostly pointless for most people. Typically, our readers immediately navigate away from such pages upon visiting them by accident.
