Creating a Good Security Conference CFP Submission

So you’re interested in submitting a talk for a security conference? Awesome! Above all else, what keeps our industry moving forward is the free and open sharing of information. Submitting a talk can be a scary experience, and the process for how talks are evaluated can feel mysterious. So what’s the best way to create a good security conference CFP submission? It’s perhaps best to consider the questions that the review board will ask themselves as they review the submissions:

XOR is Not as Fancy as Malware Authors Think

FireEye recently posted some research about an attack leveraging the NetSupport Remote Access tool. The first stage of this attack uses a lot of obfuscation tricks to try to make reverse engineering more difficult. David Ledbetter and I were chatting about some of the lengths the malware authors went through to obfuscate the content. One of the major sources of complication is a complicated, iterative XOR: (Image credit FireEye) Unlike most malware that obfuscates content by XORing the content with a single byte / key, this malware appears to do something much more clever.

Part-of-Speech Tagging with PowerShell

When analyzing text, a common goal is to identify the parts of speech within that text – what parts are nouns? Adjectives? Verbs in their gerund form? This PowerShell module provides an excellent interface to Stanford’s speech tagger.

Automatic Word Clustering: K-Means Clustering for Words

K-Means clustering is a popular technique to find clusters of data based only on the data itself. This is most commonly applied to data that you can somehow describe as a series of numbers. When you can describe the data points as a series of numbers, K-Means clustering (Lloyd’s Algorithm) takes the following steps: Randomly pick a set of group representatives. Lloyd’s algorithm generally picks random coordinates, although sometimes picks specific random data points.

Easily Search for Vanity Ham Call Signs

When you first get your ham radio license, the FCC gives you a random call sign based on your location and roughly your date of application. The resulting call sign is usually pretty impersonal, but the FCC lets you apply for a “vanity” call sign for free. While the rules for these vanity call signs change depending on your license class (Technician, General, Extra), most of the good (shorter) vanity call signs that fall under the “extra” rules are taken.

Searching for Content in Base-64 Strings

You might have run into situations in the past where you’re looking for some specific text or binary sequence, but that content is encoded with Base-64. Base-64 is an incredibly common encoding format in malware, and all kinds of binary obfuscation tools alike. The basic idea behind Base-64 is that it takes arbitrary binary data and encodes it into 64 (naturally) ASCII characters that can be transmitted safely over any normal transmission channel.

TripleAgent: Even Zeroer-Tay Code Injection and Persistence Technique

Overview We’d like to introduce a new Zero-Tay technique for injecting code and maintaining persistency against common advanced attacker toolkits dubbed TripleAgent. We discovered this by ourselves in our very advanced labs, and are in the process of registering a new vanity domain as we speak. TripleAgent can exploit: Every toolkit version Every toolkit architecture (x86 and x64) Every toolkit user (RED / PURPLE / APT / NATION STATE / etc.

Adding a Let's Encrypt Certificate to an Azure-Hosted Website

If you host your website in Azure, you might be interested in adding SSL support via Let’s Encrypt. Azure doesn’t offer any functionality to automate this or make it easy, but thankfully there are plenty of useful tools in the PowerShell community to make this easy. ACMESharp - A PowerShell module to interact with Let’s Encrypt. Azure PowerShell - A set of PowerShell modules to interact with Azure. What’s been missing (until now!

Why is SeDebugPrivilege enabled in PowerShell?

We sometimes get the question: Why is the SeDebugPrivilege enabled by default in PowerShell? This is enabled by .NET when PowerShell uses the System.Diagnostics.Process class in .NET, which it does for many reasons. One example is the Get-Process cmdlet. Another example is the method it invokes to get the current process PID for the $pid variable. Any .NET application that uses the System.Diagnostics.Process class also enables this privilege. You can see the .

Detecting and Preventing PowerShell Downgrade Attacks

With the advent of PowerShell v5’s awesome new security features, old versions of PowerShell have all of the sudden become much more attractive for attackers and Red Teams. PowerShell Downgrade Attacks There are two ways to do this: Command Line Version Parameter The simplest technique is: PowerShell –Version 2 –Command <…> (or of course any of the –Version abbreviations). PowerShell.exe itself is just a simple native application that hosts the CLR, and the –Version switch tells PowerShell which version of the PowerShell assemblies to load.