Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Top 5 Free Learning Resources for Cyber-Security Beginners [Updated 2019]

InfoSec Institute Resources - 19 Únor, 2019 - 15:33

Today, the obligation of strong cyber-security measures is self-evident. A large number of cyber-attacks are causing escalating damage to companies, governments, and individuals. Yahoo’s disclosure of a massive breach is still making headlines. Organizations need to respond to this increased threat by adopting strict cyber-security measures. To overcome this devastating gap in cyber-security skills in […]

The post Top 5 Free Learning Resources for Cyber-Security Beginners [Updated 2019] appeared first on InfoSec Resources.

Top 5 Free Learning Resources for Cyber-Security Beginners [Updated 2019] was first posted on February 19, 2019 at 8:33 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Máte Windows 7? Zapněte si automatické aktualizace, nebo vám od léta nedorazí ani jedna záplata

Zive.cz - bezpečnost - 19 Únor, 2019 - 15:18
Bezpečnostní technologie SHA-1 je už nějaký pátek přežitá a opouštějí ji i velké firmy. V červenci se s ní definitivně rozloučí také Microsoft. Majitele Windows 10 to trápit nemusí, pokud však váš počítač pohání muzejní exponát typu Windows 7, určitě zapněte automatickou instalaci ...
Kategorie: Hacking & Security

Detecting Web Attacks with a Seq2Seq Autoencoder

Positive Research Center - 19 Únor, 2019 - 15:13

Attack detection has been a part of information security for decades. The first known intrusion detection system (IDS) implementations date back to the early 1980s.

Nowadays, an entire attack detection industry exists. There are a number of kinds of products—such as IDS, IPS, WAF, and firewall solutions—most of which offer rule-based attack detection. The idea of using some kind of statistical anomaly detection to identify attacks in production doesn’t seem as realistic as it used to. But is that assumption justified?

DETECTION OF ANOMALIES IN WEB APPLICATIONS
The first firewalls tailored to detect web application attacks appeared on the market in the early 1990s. Both attack techniques and protection mechanisms have evolved dramatically since then, with attackers racing to get one step ahead.

Most current web application firewalls (WAFs) attempt to detect attacks in a similar fashion, with a rule-based engine embedded in a reverse proxy of some type. The most prominent example is mod_security, a WAF module for the Apache web server, which was created in 2002. Rule-based detection has some disadvantages: for instance, it fails to detect novel attacks (zero-days), even though these same attacks might easily be detected by a human expert. This fact is not surprising, since the human brain works very differently than a set of regular expressions.

From the perspective of a WAF, attacks can be divided into sequentially-based ones (time series) and those consisting of a single HTTP request or response. Our research focused on detecting the latter type of attacks, which include:

  • SQL Injection 
  • Cross-Site Scripting
  • XML External Entity Injection 
  • Path Traversal
  • OS Commanding 
  • Object Injection 

But first let’s ask ourselves: how would a human do it?

WHAT WOULD A HUMAN DO WHEN SEEING A SINGLE REQUEST?
Take a look at a sample regular HTTP request to some application:


If you had to detect malicious requests sent to an application, most likely you would want to observe benign requests for a while. After looking at requests for a number of application execution endpoints, you would have a general idea of how safe requests are structured and what they contain.

Now you are presented with the following request:


You immediately intuit that something is wrong. It takes some more time to understand what exactly, and as soon as you locate the exact piece of the request that is anomalous, you can start thinking about what type of attack it is. Essentially, our goal is to make our attack detection AI approach the problem in a way that resembles this human reasoning.

Complicating our task is that some traffic, even though it may seem malicious at first sight, might actually be normal for a particular website.

For instance, let’s look at the following request:


Is it an anomaly? Actually, this request is benign: it is a typical request related to bug publication on the Jira bug tracker.

Now let’s take a look at another case:


At first the request looks like typical user signup on a website powered by the Joomla CMS. However, the requested operation is “user.register” instead of the normal “registration.register”. The former option is deprecated and contains a vulnerability allowing anybody to sign up as an administrator.

This exploit is known as “Joomla < 3.6.4 Account Creation / Privilege Escalation” (CVE-2016-8869, CVE-2016-8870).


HOW WE STARTED
We first took a look at previous research, since many attempts to create different statistical or machine learning algorithms to detect attacks have been made throughout the decades. One of the most frequent approaches is to solve the task of assignment to a class (“benign request,” “SQL Injection,” “XSS,” “CSRF,” and so forth). While one may achieve decent accuracy with classification for a given dataset, this approach fails to solve some very important problems:

  1. The choice of class set. What if your model during learning is presented with three classes (“benign,“ “SQLi,” “XSS”) but in production it encounters a CSRF attack or even a brand-new attack technique?
  2. The meaning of these classes. Suppose you need to protect 10 customers, each of them running completely different web applications. For most of them, you would have no idea what a single “SQL Injection” attack against their application really looks like. This means you would have to somehow artificially construct your learning datasets—which is a bad idea, because you will end up learning from data with a completely different distribution than your real data.
  3. Interpretability of the results of your model. Great, so the model came up with the “SQL Injection” label—now what? You and most importantly your customer, who is the first one to see the alert and typically is not an expert in web attacks, have to guess which part of the request the model considers malicious.

Keeping that in mind, we decided to give classification a try anyway.

Since the HTTP protocol is text-based, it was obvious that we had to take a look at modern text classifiers. One of the well-known examples is sentiment analysis of the IMDB movie review dataset. Some solutions use recurrent neural networks (RNNs) to classify these reviews. We decided to use a similar RNN classification model with some slight differences. For instance, natural language classification RNNs use word embeddings, but it is not clear what words there are in a non-natural language like HTTP. That’s why we decided to use character embeddings in our model.

Ready-made embeddings are irrelevant for solving the problem, which is why we used simple mappings of characters to numeric codes with several internal markers such as GO and EOS
After we finished development and testing of the model, all the problems predicted earlier came to pass, but at least our team had moved from idle musing to something productive.

HOW WE PROCEEDED
From there, we decided to try making the results of our model more interpretable. At some point we came across the mechanism of “attention” and started to integrate it into our model. And that yielded some promising results: finally, everything came together and we got some human-interpretable results. Now our model started to output not only the labels but also the attention coefficients for every character of the input.

If that could be visualized, say, in a web interface, we could color the exact place where a “SQL Injection” attack has been found. That was a promising result, but the other problems still remained unsolved.

We began to see that we could benefit by going in the direction of the attention mechanism, and away from classification. After reading a lot of related research (for instance, “Attention is all you need,” Word2Vec, and encoder–decoder architectures) on sequence models and by experimenting with our data, we were able to create an anomaly detection model that would work in more or less the same way as a human expert.

AUTOENCODERS
At some point it became clear that a sequence-to-sequence autoencoder fit our purpose best.
A sequence-to-sequence model consists of two multilayered long short-term memory (LSTM) models: an encoder and a decoder. The encoder maps the input sequence to a vector of fixed dimensionality. The decoder decodes the target vector using this output of the encoder.

So an autoencoder is a sequence-to-sequence model that sets its target values equal to its input values. The idea is to teach the network to re-create things it has seen, or, in other words, approximate an identity function. If the trained autoencoder is given an anomalous sample it is likely to re-create it with a high degree of error because of never having seen such a sample previously.



THE CODE
Our solution is made up of several parts: model initialization, training, prediction, and validation.
Most of the code located in the repository is self-explanatory, we will focus on important parts only.

The model is initialized as an instance of the Seq2Seq class, which has the following constructor arguments:


After that, the autoencoder layers are initialized. First, the encoder:


And then the decoder:


Since we are trying to solve anomaly detection, the targets and inputs are the same. Thus our feed_dict looks as follows:


After each epoch the best model is saved as a checkpoint, which can be later loaded to do predictions. For testing purposes a live web application was set up and protected by the model so that it was possible to test if real attacks were successful or not.

Being inspired by the attention mechanism, we tried to apply it to the autoencoder but noticed that probabilities output from the last layer works better at marking the anomalous parts of a request.


At the testing stage with our samples we got very good results: precision and recall were close to 0.99. And the ROC curve was around 1. Definitely a nice sight!


THE RESULTS
Our described Seq2Seq autoencoder model proved to be able to detect anomalies in HTTP requests with high accuracy.


This model acts like a human does: it learns only the “normal” user requests sent to a web application. It detects anomalies in requests and highlights the exact place in the request considered anomalous. We evaluated this model against attacks on the test application and the results appear promising. For instance, the previous screenshot depicts how our model detected SQL injection split across two web form parameters. Such SQL injections are fragmented, since the attack payload is delivered in several HTTP parameters. Classic rule-based WAFs do poorly at detecting fragmented SQL injection attempts because they usually inspect each parameter on its own.

The code of the model and the train/test data have been released as a Jupyter notebook so anyone can reproduce our results and suggest improvements.

Conclusion
We believe our task was quite non-trivial: to come up with a way of detecting attacks with minimal effort. On the one hand, we sought to avoid overcomplicating the solution and create a way of detecting attacks that, as if by magic, learns to decide by itself what is good and what is bad. At the same time, we wanted to avoid problems with the human factor when a (fallible) expert is deciding what indicates an attack and what does not. And so overall the autoencoder with Seq2Seq architecture seems to solve our problem of detecting anomalies quite well.

We also wanted to solve the problem of data interpretability. When using complex neural network architectures, it is very difficult to explain a particular result. When a whole series of transformations is applied, identifying the most important data behind a decision becomes nearly impossible. However, after rethinking the approach to data interpretation by the model, we were able to get probabilities for each character from the last layer.

It's important to note this approach is not a production-ready version. We cannot disclose the details of how this approach might be implemented in a real product. But we will warn you that it's not possible to simply take this work and "plug it in." We make this caveat because after publishing on GitHub, we began to see some users who attempted to simply implement our current solution wholesale in their own projects, with unsuccessful (and unsurprising) results.

Proof of concept is available here (github.com).

Authors: Alexandra Murzina, Irina Stepanyuk (GitHub), Fedor Sakharov (GitHub), Arseny Reutov (@Raz0r)

Further reading
  1. [Understanding LSTM networks
  2. [Attention and Augmented Recurrent Neural Networks]
  3. 

[Attention is all you need
  4. 
[Attention is all you need (annotated)
  5. 
[Neural Machine Translation (seq2seq) Tutorial]
  6. 
[Autoencoders]
  7. [Sequence to Sequence Learning with Neural Networks]
  8. 
[Building autoencoders in Keras]


CERT-CSIH Domain #4: Respond

InfoSec Institute Resources - 19 Únor, 2019 - 15:00

Introduction “Respond” is the name of the fourth domain of the CERT-CSIH certification exam. This domain constitutes 40% to the overall percentage of the exam, by far the largest percentage of the exam of any domain. As the name implies, the Respond phase is applied as soon as the Triage and Analysis phase, the third […]

The post CERT-CSIH Domain #4: Respond appeared first on InfoSec Resources.

CERT-CSIH Domain #4: Respond was first posted on February 19, 2019 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Learn How XDR Can Take Breach Protection Beyond Endpoint Security

The Hacker News - 19 Únor, 2019 - 14:46
How do you know whether an attacker has infiltrated your network? Can you really rely on an Endpoint Detection and Response (EDR) solution to be your go-to technology for identifying security breaches? Endpoint detection and response (EDR) platform has been an important technology to detect cybersecurity incidents, but it provides only the view of endpoints, just a portion of the big picture.
Kategorie: Hacking & Security

Millions of “private” medical helpline calls exposed on internet

Sophos Naked Security - 19 Únor, 2019 - 14:45
Ever wondered what happens to helpline calls recorded "to ensure you get the service you deserve"? It can all go terribly wrong...

Thousands of Android apps bypass Advertising ID to track users

Sophos Naked Security - 19 Únor, 2019 - 14:23
Six years after it was introduced, it looks as if Android’s Advertising ID (AAID) might no longer be the privacy forcefield Google claimed it would be.

If you think your deleted Twitter DMs are sliding into the trash, you’re wrong

Sophos Naked Security - 19 Únor, 2019 - 12:53
They're never deleted, just erased from the UI. You can still see archived messages if you download your data.

Facebook acts like a law-breaking ‘digital gangster’, says official report

Sophos Naked Security - 19 Únor, 2019 - 12:47
Facebook considers itself to be “ahead of and beyond the law,” UK lawmakers said in a report about "disinformation and 'fake news.'"

Fake text generator is so good its creators don’t want to release full version

Sophos Naked Security - 19 Únor, 2019 - 12:39
OpenAI has created what amounts to a text version of a deepfake - and it’s too scared for humanity to release the full version.

ATM robber WinPot: a slot machine instead of cutlets

Kaspersky Securelist - 19 Únor, 2019 - 12:00

Automation of all kinds is there to help people with their routine work, make it faster and simpler. Although ATM fraud is a very peculiar sort of work, some cybercriminals spend a lot of effort to automate it. In March 2018, we came across a fairly simple but effective piece of malware named WinPot. It was created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes. We called it ATMPot.

Example of WinPot interface – dispensing in action

The criminals had clearly spent some time on the interface to make it look like that of a slot machine. Likely as a reference to the popular term ATM-jackpotting, which refers to techniques designed to empty ATMs. In the WinPot case, each cassette has a reel of its own numbered 1 to 4 (4 is the max number of cash-out cassettes in an ATM) and a button labeled SPIN. As soon as you press the SPIN button (in our case it is greyed out because we are actually dispensing cash), the ATM starts dispensing cash from the corresponding cassette. Down from the SPIN button there is information about the cassette (bank note value and the number of bank notes in the cassette). The SCAN button rescans the ATM and updates the numbers under the SLOT button, while the STOP button stops the dispensing in progress.

We found WinPot to be an amusing and interesting ATM malware family, so we decided to keep a close eye on it.

Over the course of time, new samples popped up, each one with minor modifications. For example, a changed packer (like Yoda and UPX) or updated time period during which the malware was programmed to work (e.g, during March). If system time does not fall in with the preset period, WinPot silently stops operating without showing its interface.

The number of samples we had found was also reflected in the European Fraud Update published in the summer of 2018. It has a few lines about WinPot:

“ATM malware and logical security attacks were reported by nine countries. Five of the countries reported ATM related malware. In addition to Cutlet Maker (used for ATM cash-out) a new variant called WinPot has been reported…”

Same as Cutler Maker, WinPot is available on the (Dark)net for approximately 500 – 1000 USD depending on offer.

One of the sellers offers WinPot v.3 together with a demo video depicting the “new” malware version along with a still unidentified program with the caption “ShowMeMoney”. Its looks and mechanics seem quite similar to those of the Stimulator from the CutletMaker story.

Unidentified Stimulator-like sample from demo video

Winpot v3 sample from demo video

Due to the nature of ATM cash-out malware, its core functionality won’t change much. But criminals do encounter problems, so they invent modifications:

  • To trick the ATM security systems (using protectors or other ways to make each new sample unique);
  • To overcome potential ATM limitations (like maximum notes per dispense);
  • To find ways to keep the money mules from abusing their malware;
  • To improve the interface and error-handling routines.

We thus expect to see more modifications of the existing ATM malware. The preferred way of protecting the ATM from this sort of threat is to have device control and process whitelisting software running on it. The former will block the USB path of implanting the malware directly into the ATM PC, while the latter will prevent execution of unauthorized software on it. Kaspersky Embedded Systems Security will further help to improve the security level of the ATMs.

Kaspersky Lab products detect WinPot and its modifications as Backdoor.Win32.ATMPot.gen

Sample MD5:
821e593e80c598883433da88a5431e9d

LPG Gas Company Leaked Details, Aadhaar Numbers of 6.7 Million Indian Customers

The Hacker News - 19 Únor, 2019 - 11:10
Why would someone bother to hack a so-called "ultra-secure encrypted database that is being protected behind 13 feet high and 5 feet thick walls," when one can simply fetch a copy of the same data from other sources. French security researcher Baptiste Robert, who goes by the pseudonym "Elliot Alderson" on Twitter, with the help of an Indian researcher, who wants to remain anonymous,
Kategorie: Hacking & Security

Nebezpečná aplikace útočí na klienty českých bank

Novinky.cz - bezpečnost - 19 Únor, 2019 - 10:27
Další nebezpečnou aplikaci, která cílí na klienty tuzemských bank, objevili bezpečnostní experti z antivirové společnosti Eset. Stejný škodlivý kód byl přitom zachycen také v zahraničí, nicméně u českých uživatelů byl počet detekcí nejvyšší.
Kategorie: Hacking & Security

Microsoft zalepil díru v Internet Exploreru – umožnila útočníkům zjišťovat přítomnost souborů

Zive.cz - bezpečnost - 19 Únor, 2019 - 07:00
Nedávná aktualizace zabezpečení, vydaná Microsoftem minulý týden, řešila zranitelnost webového prohlížeče Internet Explorer. Možná poněkud paradoxně tuto bezpečnostní díru odhalili odborníci z Google Threat Analysis Group. Redmondský gigant popsal tuto chybu v oficiální dokumentaci jako ...
Kategorie: Hacking & Security

When Cyberattacks Pack a Physical Punch

Threatpost - 18 Únor, 2019 - 22:26
Physical security goes hand in hand with cyberdefense. What happens when – as we see all too often – the physical side is overlooked?
Kategorie: Hacking & Security

Over 92 Million New Accounts Up for Sale from More Unreported Breaches

The Hacker News - 18 Únor, 2019 - 20:40
All these numbers…. "More than 5 billion records from 6,500 data breaches were exposed in 2018" — a report from Risk Based Security says. "More than 59,000 data breaches have been reported across the European since the GDPR came into force in 2018" — a report from DLA Piper says. …came from data breaches that were reported to the public, but in reality, more than half of all data breaches
Kategorie: Hacking & Security

Kali Linux 2019.1 Released — Operating System For Hackers

The Hacker News - 18 Únor, 2019 - 20:29
Wohooo! Great news for hackers and penetration testers. Offensive Security has just released Kali Linux 2019.1, the first 2019 version of its Swiss army knife for cybersecurity professionals. The latest version of Kali Linux operating system includes kernel up to version 4.19.13 and patches for numerous bugs, along with many updated software, like Metasploit, theHarvester, DBeaver, and more.
Kategorie: Hacking & Security

Webinar: How to Become a Certified Ethical Hacker (CEH)

InfoSec Institute Resources - 18 Únor, 2019 - 17:40



The post Webinar: How to Become a Certified Ethical Hacker (CEH) appeared first on InfoSec Resources.

Webinar: How to Become a Certified Ethical Hacker (CEH) was first posted on February 18, 2019 at 10:40 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Changes to CompTIA’s A+ Exam (220-901 and 220-902 / 220-1001 and 220-1002)

InfoSec Institute Resources - 18 Únor, 2019 - 16:02

Introduction CompTIA’s A+ is an entry-level certification that’s considered one of the best certifications for those pursuing a career in IT tech support and field operations and was named one of 10 best entry-level certs by CIO magazine. As a vendor-neutral credential, it covers a broad range of IT skills, from hardware and networking to […]

The post Changes to CompTIA’s A+ Exam (220-901 and 220-902 / 220-1001 and 220-1002) appeared first on InfoSec Resources.

Changes to CompTIA’s A+ Exam (220-901 and 220-902 / 220-1001 and 220-1002) was first posted on February 18, 2019 at 9:02 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Microsoft MCSE Exam Review

InfoSec Institute Resources - 18 Únor, 2019 - 16:00

Introduction The MCSE has always been one of the most highly regarded certs in the IT Industry. It is also one of the longest ones as well. Its first focus was on the concepts and implementation of various network infrastructure topologies. Although any IT professional with some experience in this area could appear for the […]

The post Microsoft MCSE Exam Review appeared first on InfoSec Resources.

Microsoft MCSE Exam Review was first posted on February 18, 2019 at 9:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security
Syndikovat obsah