07 Dec 2016

feedPlanet Grep

Frank Goossens: WordPress 4.7 custom background image bug & workaround

Gotta love Sarah, but there's a small bug in Vaughan's (WordPress 4.7) that breaks (part of the CSS) when Autoptimized. If you have a theme that supports custom backgrounds (e.g. TwentySixteen) and you set that custom background in the Customizer, the URL ends up escaped (well, they wp_json_encode() it actually) like this;

body{background-image: url("http:\/\/localhost\/wordpress\/wp-content\/uploads\/layerslider\/Full-width-demo-slider\/left.png");}

Which results in the Autoptimized CSS for the background-image being broken because the URL is not recognized as such. The bug has been confirmed already and the fix should land in WordPress 4.7.1.

If you're impacted and can't wait for 4.7.1 to be released, there are 2 workarounds:
1. simple: disable the "Aggregate inline CSS"-option
2. geeky: use this code snippet to fix the URL before AO has a change to misinterpret it;

add_filter('autoptimize_filter_html_before_minify','fix_encoded_urls');
function fix_encoded_urls($htmlIn) {
        if ( strpos($htmlIn,"body.custom-background") !== false ) {
                preg_match_all("#background-image:\s?url\(?[\"|']((http(s)?)?:\\\/\\\/.*)[\"|']\)?#",$htmlIn,$badUrls);
                if ($badUrls) {
                        foreach ($badUrls[1] as $badUrl) {
                                $htmlIn = str_replace($badUrl, stripslashes($badUrl), $htmlIn);
                        }
                }
        }
        return $htmlIn;
}

Possibly related twitterless twaddle:

07 Dec 2016 3:46pm GMT

06 Dec 2016

feedPlanet Grep

Lionel Dricot: Printeurs 42

15165551585_db4b8d0f3d_z

Ceci est le billet 42 sur 42 dans la série Printeurs

En parallèle aux aventures de Nellio, Eva et les autres, un étrange personnage continue sa vie : l'ex-ouvrier 689.

Je n'en reviens pas. Je n'en crois pas mes yeux. J'étais sûr de l'avoir tué. Pourtant, aujourd'hui, le plus jeune est revenu.

Cela fait des cycles et des cycles de sommeil que je suis cloîtré dans un confortable appartement. Le plus vieux m'a expliqué qu'il s'agissait de me protéger. En tant que travailleur, je suis un témoin clé dans le procès qu'il veut faire. À qui ? Je ne suis pas sûr de comprendre… Au système, aux riches, aux puissants, aux contre-maîtres. Peu importe, mon pouvoir marche d'autant mieux lorsqu'il est confronté à un idéalisme naïf et béat.

De temps en temps, le plus vieux vient me rendre visite afin de m'interroger, de dresser un tableau de la vie dans l'usine. Au vu de ses réactions à mes révélations initiales, j'ai préféré ne pas tout dire. Il risquerait de ne pas me croire.

Mais lorsque la porte s'est ouverte aujourd'hui, j'ai failli défaillir de surprise. Le plus jeune était là, souriant, complètement insensible à mon pouvoir. Il s'est dit amnésique et j'ai réussi à cacher mon trouble, à prétendre que je le connaissais pas.

Ce monde obéit-il à d'autres lois ? La mort et la douleur ne sont-elles pas les armes ultimes que je croyais maitriser ? Pour la première fois, le doute me gagne, m'envahit. Mon pouvoir s'étiole. Je tremble !

Tout fonctionnait pourtant comme sur des roulettes. Le plus vieux était bel et bien persuadé que le plus jeune était tombé du ballon par accident. Une fois le plus jeune parti, le plus vieux s'est révélé beaucoup plus vulnérable à mon pouvoir. Du moins le croyais-je…

Je regrette les contre-maitres qui étaient tellement facile à manipuler, je…

612 se tient en face de moi. Il sourit béatement et me couvre de son regard apaisant. Baissant les yeux, je constate que je suis un enfant. Machinalement, mon pouce s'est introduit dans ma bouche.

- La vie est pleine de mystère. Elle ne s'arrête pas à l'atelier et aux contre-maîtres. Un jour, l'un de vous le découvrira. Un jour, il percera les mystères de la vie et nous libérera…

Je hurle, je me rue en vociférant sur 612. Dans un craquement sourd, mon corps d'adulte s'écrase sur les parois de l'appartement. La douleur me réveille, me rassure. Ô toi, ma vieille amie, ma fidèle compagne, celle qui m'accompagnera jusqu'à la mort et au delà, celle qui me fera lutter, qui me réveillera, ô toi douleur…

Le crâne de 612 éclate tout autour de moi. Du sang ruisselle sur les murs, des lambeaux de cervelles gluants dégoulinent du plafond et, partout, le visage de 612 flotte en murmurant :
- Tu es noble !

À mes pieds, le sol est jonché de cadavres des travailleurs que j'ai fréquenté. Je reconnais chaque visage, chaque numéro. Les corps se décomposent, l'odeur me prend à la gorge et, soudain, chaque mort donne naissance, dans une explosion de pu et de chaires putrides, à un bébé sanguinolent, hurlant. Tournant leurs têtes vers moi, les bébés se mettent à ramper. Ils tiennent dans leurs petites menottes les jouets, les appareils électroniques, les outils que j'ai fabriqué. Ils les dévorent avant de ramper et de toucher, un par un, tous les objets de l'appartement.

L'un des bébés, mi-homme, mi-fœtus, caresse le rideau qui se gorge aussitôt de sang. Un autre s'empare de la tablette de divertissement qui se décompose en chaires putréfiées. Le plus effrayant se met soudain à flotter jusqu'au plafond avant d'avaler l'ampoule intelligente qui se transforme en millions de mouches bourdonnantes.

Les vêtements que je porte se mettent à hurler, à briller de longs éclairs de douleurs.

Plié en deux, je me met à vomir sous les sordides ricanements des bébés dont les visages se couvrent de rides et d'une barbe blanche.

Combien de temps suis-je resté dans le coma, étendu au milieu de la pièce ? Des heures ? Des jours ?

À mon réveil, tout m'a semblé effroyablement normal. Mais, au creux de mon estomac, j'ai ressenti une émotion nouvelle, angoissante. Une peur non physique. Ma vie n'est pas en danger, je n'ai pas à me défendre et, pourtant, j'ai peur, je tremble. Je veux oublier ! Et si le plus vieux décidait de me renvoyer à l'usine ? J'ai failli à ma mission ! Je serai probablement rétrogradé au plus bas de l'échelle, je redeviendrai le travailleur que j'ai toujours été.

Les genoux tremblants, je tente de me redresser et de me ressaisir. Je n'ai pas le choix, je dois continuer, je dois escalader chaque échelon. S'arrêter, c'est tomber. Monter, encore et encore, tel est mon destin.

Mais pour aller où ? Vers quels sommets ? C'est peut-être la question qu'il ne faut pas poser car seule l'ignorance me permettra de continuer.

Par quel miracle le plus jeune est-il encore en vie ? Je n'en sais rien et je n'ai pas besoin de le savoir. Je dois juste attraper le prochain échelon et monter, encore et toujours. Je dois écraser le plus vieux, je dois l'utiliser et le jeter. Ce n'est qu'à ce prix que je ne tomberai pas.

Prenant une profonde inspiration, je retrouve mon calme. Mon pouvoir est revenu, je le sens ! Il ne m'a jamais quitté. Le plus jeune est encore vivant ? Qu'à cela ne tienne, je le tuerai une seconde fois. Ou dix fois, cent fois, mille fois s'il le faut ! Car mon pouvoir est revenu et rien ni personne ne pourra plus arrêter ma fulgurante ascension.

Rien ! Pas même ces bébés à tête de vieillards qui rampent désormais partout où je porte mon regard, éructant en silence des moues terrifiées, touchant de leurs mains poisseuses chaque objet, chaque meuble, chaque outil.

Mais je les tiens à l'œil. Car eux aussi subiront désormais l'étendue de mon pouvoir.

Photo par Antoine Skipper.

Ce texte est a été publié grâce à votre soutien régulier sur Tipeee et sur Paypal. Je suis @ploum, blogueur, écrivain, conférencier et futurologue. Vous pouvez me suivre sur Facebook, Medium ou me contacter.

Ce texte est publié sous la licence CC-By BE.

06 Dec 2016 11:35am GMT

03 Dec 2016

feedPlanet Grep

Frank Goossens: Music from Our Tube; James Bittersweet Lewis Trio

Just picked up on Worldwide FM; James Brandon Lewis Trio featuring Anthony Pirog and Nicholas Ryan Gant (aka @ghetto_falsetto). Kind of mellow-y, which I'm not always into, but duet of Lewis' tenor-sax and the Gant's falsetto scatting makes for a great mix, keeping the feeling fresh and real.

YouTube Video
Watch this video on YouTube.

And if you want to something more in-your-face; have a go at "No Filter" by the same trio. Just tenor-sax, bass & drums, but you'll be headbanging as if you were on the front-row of a metal-festival.

Possibly related twitterless twaddle:

03 Dec 2016 12:04pm GMT

02 Dec 2016

feedPlanet Grep

Xavier Mertens: Botconf 2016 Wrap-Up Day #3

It's over! The 4th edition of Botconf just finished and I'm in the train back to Belgium writing the daily wrap-up. Yesterday, the reception was organized in a very nice place (the "Chapelle de la Trinité"). Awesome place, awesome food, interesting chats as usual. To allow people to recover smoothly, the day started a little bit later and some doses of caffeine.

The day was kicked off by Alberto Ortega with a presentation called "Nymaim Origins, Revival and Reversing Tales". Nymaim is a malware family discovered in 2013 mainly used to lock computers and drop ransomware. It was known to be highly obfuscated and to use anti-analysis techniques (anti-VM, string description on demand, anti-dumping, DGA, campaign timer). During the analysis of the code, a nice list of artefacts was found to detect virtualized environments (ex: "#*INTEL - 6040000#*" to detect the CPU used by VMware guests). Alberto reviewed the different obfuscation techniques. In the code obfuscation, they found a "craft_call" function to dynamically calculate a return address based on an operation with the two hard-coded parameters. Campaign timer is also classic for Nymaim: There is a date in the code (20/11/2016) which will prevent the malware to execute after this date (the system date must be changed to permit the execution of the malware, which is not easy on a sandbox). Network traffic is encrypted with different layers. The first one is encrypted with RC4 with the static key and a variable salt for each request/response. The DNS resolution is also obfuscated. Domains are resolved using a homemade algorithm. "A" records returned are NOT the actual IP addresses. (Google DNS are used). To know the real IP address, the algorithm must be used. Of course, DGA is used of course. It uses PRNG based on Xorshift algorithm Seeded with the current system time and a fixed seed. Nymaim is used to perform banking fraud. The way this feature is configured is similar to Gozi/IFSB (that will be covered later today). They use redirects to the injects panel. Nice review of the malware with an amazing job to reverse and understand all the features.

Then Jose Miguel Esparza and Frank Ruiz presented "Rough Diamonds in Banking Botnets". Criminals keep improving their backends : C&C's and control panels. They made a nice review of the current landscape but this talk was flagged as TLP:RED so no more information.

After a coffee break, we restarted with Maciej Kotowicz who presented "ISFB, Still Live and Kicking". Also named Gozi2/Ursnif, ISFB is a malware which appeared in 2014 and is, still today, one of the most popular bankers on the market. Why this name? "ISFB" string was found in debugging instruction in the code. Targets are numerous (all over the world). The dropper performs persistency, inject worker, setups IPC and (new!) download the 2nd stage. It also has anti-VM tricks. It uses GetCursorInfo() to get the movement of the mouse. No movement, no execution! It also enumerates devices. Then Maciej reviewed deeper how the malware works, its configuration and registry keys. Communications to phone home are based on the Tor network and P2P network and a DGA of course.

The next slot was assigned to Margarita Louca with a non-technical talk: "Challenges for a cross-jurisdictional botnet takedown". Margarita being from Europol, she also asked to consider her presentation as TLP:RED.

The afternoon started with two last talks. Kurtis Armour presented "Preventing File-Based Botnet Persistence and Growth". The goal of this talk was education of threat landscape and the layers of protection. The most part of his talk focused on post-exploitation (only on classic computers - No IoT). Botnet delivery mechanism is based on social engineering, tricking users to go unsafe source and to gain some money (monetise) or via browsers, 3rd party apps (EK), this was already covered. Dropped code can be file based or memory based. Starting from the fact that code is made to be executed by the computer, Kurtis reviewed how this code can be executed by a Windows computer. The code can be a binary, shell code or a script. This code must be dropped on the victim by a dropper and they are many way to achieve that! Via HTML, JavaScript, ZIP, EXE, DLL, Macros, PowerShell, VBA, VBS, PDF, etc. The talk was mainly defensive and Kurtis explained with several examples how to prevent (or at least reduce the chances) code execution. First golden rule: "No admin rights!". But we can also use pieces of software to reduce the attack surface. A good example is LAPS from Microsoft. Windows Script Files are a pain. Don't allow their execution. This can be achieved by replaced the default association (wscript.exe -> notepad.exe). Microsoft Office files are well known to be (ab)used to distribute macros. Starting with Office 2016, more granularity has been introduced via GPO's. Here is an interesting document about the security of macros published (source)

Office Macros Security

PowerShell is a nice tool for system administrator but also very dangerous: it runs from memory, download & exec from remote systems. But powershell is harder to block. Execution policies can be implemented but are easy to bypass. Powershell v5 to the rescue? Improved logging and security features (but don't forget to uninstall previous versions). Application whitelisting to the rescue? (the talk focused on AppLocker because being by default and can be managed via GPO's). It can be used to perform an inventory of the applications, to protect against unwanted applications and increase software standardisation. Another technique is to restrict access to writable directories like %APPDATA% but they are many others. hta files are nasty and are executed via a specific interpreter (mshta.exe). There are many controls that could be implemented but they are really a pain to deploy. There was an interesting question from somebody in the audience: Who's using such controls (or at least a few of them). Only five people raised their hand!

And finally, Magal Baz & Gal Meiri closed the event with another talk about Dridex: "Dridex Gone Phishing". After a short introduction about Dridex (or a recap - who don't know this malware?), they explained in details how the banking fraud is working from the infection to the fraudulent transaction. You have a token from your bank? 2FA? Good but it's not a problem for Dridex. It infects the browser and places hooks in ouput and input functions of the browser and all data is duplicated (sent to the bank and the attack. This is fully transparent to the user. A good way to protect yourself is to rename your browser executable (ex: "firefox_clean.exe" instead of "firefox.exe"). Why? Dridex has a list of common browsers process names (hashed) and compromize the browser based on this list.

As usual, there was a small closing session with some announcements. A few numbers about the 2016 edition? 325 attendes, 4 workshops, 25 talks (out of 48 proposals). And what about the 2017 edition? It should be organized in Montpellier, another nice French city between 5th and 8th of December.

[The post Botconf 2016 Wrap-Up Day #3 has been first published on /dev/random]

02 Dec 2016 7:53pm GMT

Les Jeudis du Libre: Mons, le 15 décembre : Hardware design using CLaSH

Logo QBayLogicCe jeudi 15 décembre 2016 à 19h se déroulera la 54ème séance montoise des Jeudis du Libre de Belgique.

Le sujet de cette séance : Hardware design using CLaSH

Exceptionnellement, l'exposé sera donné en anglais

Thématique : Programmation|Développement

Public : developpeurs|entreprises|étudiants

L'animateur conférencier : Jan Kuper (Université de Twente & QBayLogic)

Lieu de cette séance : HEPH Condorcet, Chemin du Champ de Mars, 15 - 7000 Mons - Auditorium 2 (G01) situé au rez de chaussée (cf. ce plan sur le site d'Openstreetmap; ATTENTION, l'entrée est peu visible de la voie principale, elle se trouve dans l'angle formé par un très grand parking).

La participation sera gratuite et ne nécessitera que votre inscription nominative, de préférence préalable, ou à l'entrée de la séance. Merci d'indiquer votre intention en vous inscrivant via la page http://jeudisdulibre.fikket.com/. La séance sera suivie d'un verre de l'amitié.

Les Jeudis du Libre à Mons bénéficient aussi du soutien de nos partenaires : CETIC, Normation, MeaWeb et Phonoid.

Si vous êtes intéressé(e) par ce cycle mensuel, n'hésitez pas à consulter l'agenda et à vous inscrire sur la liste de diffusion afin de recevoir systématiquement les annonces.

Pour rappel, les Jeudis du Libre se veulent des espaces d'échanges autour de thématiques des Logiciels Libres. Les rencontres montoises se déroulent chaque troisième jeudi du mois, et sont organisées dans des locaux et en collaboration avec des Hautes Écoles et Facultés Universitaires montoises impliquées dans les formations d'informaticiens (UMONS, HEH et Condorcet), et avec le concours de l'A.S.B.L. LoLiGrUB, active dans la promotion des logiciels libres.

Description : Mainstream hardware design languages such as VHDL and Verilog have poor abstraction mechanisms and many attempts are done to design so-called High Level Synthesis languages. Most of these languages take an imperative perspective whereas CλaSH, on the other hand, starts from a functional perspective and is based on the functional language Haskell. That starting point offers high level abstraction mechanisms such as polymorphism, type derivation, higher order functions. Besides, it offers a direct simulation environment, every CλaSH specification is an executable program. During the presentation we will illustrate this with several examples such as elementary computational architectures, filters for signal processors, a simple processor.

Keywords : Functional HDL|FPGA design

Target audience : people who are familiar with programming and interested in usage of other platforms than just a traditional processor. Some knowledge of hardware design is handy but not necessary.

Short bio : Jan Kuper studied Logic and Mathematics and did his PhD under Henk Barendregt on the foundations of mathematics and computer science (1994). He worked in the areas of logic of language, theoretical computer science, and mathematical methods for architecture design. Currently he works at the Embedded Systems group of the University of Twente where he initiated the development of CλaSH. His lecturing experience comprises philosophical and mathematical logic, imperative and functional programming languages, and design of digital architectures. Together with Christiaan Baaij, he recently started the company QBayLogic to apply formal design methodologies to FPGA design.

02 Dec 2016 3:31pm GMT

Joost Damad: working console on Shuttle xs36v mini computer with Debian 8 (Jesse)

I recently re-installed this system to use it as a local server.

Installation of Debian 8 went smooth. I choose not to install a graphical environment as I only want to attach a screen in emergency situations.

The system boots fine but then the screen goes into power-safe mode. The system is still reachable remotely.

After some searching on the internet [1] the solution is to blacklist the graphics driver of the system.

Create a file called /etc/modprobe.d/blacklist.conf and add the following to it:

blacklist gma500_gfx

This tells the system not to load the driver. Then do

sudo update-initramfs -u

this updates the boot RAM disk to reflect the change.

Reboot the system and enjoy a working console.

Picture or it didn't happen:

02 Dec 2016 11:19am GMT

Jeroen De Dauw: PHP 7.1 is awesome

PHP 7.1 has been released, bringing some features I was eagerly anticipating and some surprises that had gone under my radar.

New iterable pseudo-type

This is the feature I'm most exited about, perhaps because I had no clue it was in the works. In short, iterable allows for type hinting in functions that just loop though their parameters value without restricting the type to either array or Traversable, or not having any type hint at all. This partially solves one of the points I raised in my Missing in PHP 7 series post Collections.

Nullable types

This feature I also already addressed in Missing in PHP 7 Nullable return types. What somehow escaped my attention is that PHP 7.1 comes not just with nullable return types, but also new syntax for nullable parameters.

Intent revealing

Other new features that I'm excited about are the Void Return Type and Class Constant Visibility Modifiers. Both of these help with revealing the authors intent, reduce the need for comments and make it easier to catch bugs.

A big thank you to the PHP contributors that made these things possible and keep pushing the language forwards.

For a full list of new features, see the PHP 7.1 release announcement.

02 Dec 2016 9:24am GMT

01 Dec 2016

feedPlanet Grep

Xavier Mertens: Botconf 2016 Wrap-Up Day #2

The second is over, so here is my daily wrap-up! After some welcomed coffee cups, it started sharp at 9AM with Christiaan Beek who spoke about Ransomware: "Ransomware & Beyond". When I read the title, my first reaction was "What can be said in a conference like Botconf about ransomware?". I was wrong! After a short review of the ransomware landscape, Christiaan went deeper of course. It's a fact: The number of ransomware really exploded in 2016 with new versions or techniques to attack and/or evade detections mechanisms. Good examples are Petya which encrypts the MBR or Mamba which performs FDE ("Full Disk Encryption"). We also see today "RaaS" or "Ransomware as a Service". Not only residential customers are targeted but also business users (do you remember the nice story of the hospital in the US which was infected?). Why remains ransomware so successful?

What does Christiaan means by "Customer satisfaction"? On many forums, we can find thankful messages from victims towards the attackers for providing the decryption key once they paid the ransom. This could be compared to the Stockholm syndrome. We see also services like Ransomware for dummies where people are able to customise the warning messages and so customise their campaign. An important remark was that, sometimes, ransomware is used like DDoS as a lure to keep security teams attention while another attack is ongoing, below the radar.

Then, Christiaan explained how he tried to implement machine learning to help in the detection/categorisation of samples but it stopped to work when attackers started to use Powershell. The memory analysis approach remains interesting but consumes a lot of resources. They are interesting initiative to improve our daily fight against ransomware: McAfee released a tool called "Ransomware Interceptor" that gives good results. An nice initiative is the website nomoreransom.org which compiles a lot of resources (how to report an incident, how to decrypt some ransomware - tools are available). What about the future? According to Christiaan, it's scaring! Ransomware will target new devices like home routers or… your cars! Cars look a nice target when their CAN bus is directly available from the entertainment system! Be prepared! A very nice talk to start the day!

The second talk was about Moose! "Attacking Linux/Moose 2.0 Unraveled an EGO MARKET" by Olivier Bilodeau and Masarah Paquet-Clouston. Yes, Moose is back! This was already covered during Botconf 2015. So, its started with a quick recap: Moose infects routers and IoT devices running an embedded Linux with a BusyBox userland. Once infected, the worm tries to spread by brute forcing credentials of new potential victims. The installed payload is a proxy service used to reach social media websites. So, the question was "What are the attackers doing with this botnet? How do they monetize it?". The next was to attack the botnet to better understand the business behind it. To achieve this, a specific honeypot environment was deployed. A real machine (based on Linux ARM) was deployed with other components like Cowrie. By default cowrie has no telnet support. So, they contributed to the project and added telnet support. The next step was to break communications with the C&C. This was also explained, it was based on mitmproxy. What about their findings?

As the botnet has no direct victimes, how is it used? Social media fraud is the key! This kind of fraud proposes you to buy "clicks" or "followers" with a few bucks. Instragram is the main targeted social network with 86% of the bot traffic. Masarah explained that this business is in fact very lucrative. But who are the buyers of those services?

Buy Instagram Followers

Based on the people followed by Moose fake accounts, we may found:

So, indeed, no direct victims but some get fooled by the "false popularity". What about the prices? They were analysed and they're differences: Instagram is cheaper than LinkedIn. Who's being Moose? They identified 7 IP addresses, 3 languages used (Dutch, English and Spanish) and, at least, 7 web interfaces. It was a nice talk with a good balance between technical and social stuff. I liked it. If you're interested, two interesting links about Moose:

Then, John Bambenek came on stage to present "Tracking Exploit Kits". The first question addressed by John was "Why tracking exploit kits?". Indeed, when one is brought down, another comes alive. Law enforcement services are overloaded. Because they are one of the major way to infect computers (the other one being spam). An EK can be seen as an ecosystem. Many people work around it: operators, exploit writers, traffic generators, sellers, mules, carders, … There is only one way to protect yourself about EK's: patch, patch and patch again. Rarely 0-day vulnerabilities are used by EK so you don't have a good reason to not install patches. Also, the analyse of an EK may reveal very interesting stuff to better understand how they are operated. The second part of the talk covered techniques (and tools) to track EK's. Geo-blacklisting is a common feature used by most of the EK (not only countries but also sensitive organsations are blacklisted like AV vendors or companies doing research). But VPN are not always properly detected so use a VPN! As each EK has its own set of exploits to test, you must tune your sandbox to be vulnerable to the EK you are analysing. Note that many EK pages can be identified via patterns (regex are very useful in this case). Then, John covered the landing pages and how to decode them. He also mentioned the tool ekdeco which can be very helpful during this task. If you're interested in IOC's, the following URLs has many ones related to exploit kits: https://github.com/John-Lin/docker-snort/blob/master/snortrules-snapshot-2972/rules/exploit-kit.rules. Again, a very nice talk for the first part of the day.

The next topic covered DDoS botnets and how to track them. Ya Liu's presentation was called "Improve DDoS Botnet Tracking With Honeypots". In fast, Ya's research was based on PGA or "Packet Generation Algorithm". During his research, he found that a Botnet family can be identified by inspecting how packets are generated. It was a nice research with a huge data set: 30+ botnet families, 6000+ tracked botnets, 250K+ targets (it started in 2014). Ya's goal is to collect packets during attacks and, based on the analysis, to map them to the right family. He explained how packets are generated and the identification is due to bad programming. Then algorithm to analyse data and extract useful info was reviewed. Interesting approach but the main issue is to find enough and good packets.

The first half-day ended with Angel Villega who presented "Function Identification and Recovery Signature Tool" or, in short, "FIRST". The idea behind this project is to improve the daily life of malware researchers by automatic boring stuff. We don't like boring tasks right? Here again, the goal is to analyse a sample to tag it with the right family. FIRST is an IDApro plugins which extracts interesting information from functions found in the malware samples (opcodes, architecture, syscalls, …) and send them to a server which will check the information in his database to help to identify the malware. Why does it work? Because people are lazy and don't want to reinvent the wheel. So chances to find shared functions in multiple samples are good. As a kick-off for the project, there is a public server available (fisrt-plugin.us). It can be used as a first repository but you can also start your own server. Nice project but less interesting for me.

After the lunch break, Tom Ueltschi came on stage to present "Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)". Tom is a regular speaker as botconf and, this year again, he came with nice stuff that can be re-used by most of us. First, he made an introduction about detection techniques. It is very important to deploy the right tools to collect interesting data from your infrastructure. Basically, we have two types:

For Tom, the best tools are: Bro as NBD and Sysmon + Splunk as HBD. I agree on his choices. Why Sysmon? Basically, it's free (part of the SysInternals suite) and, being developed by Microsoft, it is easy to deploy it and integration is smooth. It logs to the Windows Event Logs. Tom research started with a presentation he attended at RSA with the author of Sysmon. The setup is quite simple:

Sysmon > Windows Event Logs > Splunkforwarder > Splunk

Just one remark: take care of your Splunk license! You may quickly collect tons of events! It is recommended to filter them to just collect the ones interesting for your use cases. The second part of the presentation covered such use cases. How to start? The SANS DFIR poster is often a good starting point. Here are some examples covered by Tom:

It is also possible to perform automatic malware analysis, to detect key loggers and password stealers, lateral movements (why a workstations has flows with another one via TCP/445?). It is also interesting to keep an eye on parent / child processes relationship. And a lot of interesting tips were reviewed by Tom. For me, it was the best talk of the day! If you're working in a blue team, have a look at his slides asap.

Sébastien Larinier & Alexandra Toussaint presented "How Does Dridex Hide Friends?". They presented the findings of an investigation they performed at one of their customers. He suffered of a major bank fraud (800K€!). The customer was "safe", had 2FA activated but it was compromised and asked to find "how?". They reviewed the classic investigation process which started with a disk image that was analysed. What they found, how, the artefacts etc. The first conclusion was that the computer was infected by Dridex. But 6 days later, another suspicious was created which dropped a RAT on the computer. Nice example of a real infection (I was surprised that the customer accepted to be taken as an example for the talk).

And the afternoon continued with "A Tete-a-Tete with RSA Bots" by Jens Frieß and Laura Guevara. Here again, the idea of the talk was to automate the analyse of encrypted communications between a bot and its C&C. When you are facing encryption every day, it may quickly become a pain. The good news for the research was that there is not a log of changes in encrypted communications across malware families. Also, bad guys are following best practices and rely on standard encryption libraries. The analyse process was reviewed to be able to decrypt communications: It is based on a fake C&C with a rogue certificate, a DNS server to spoof requests and the injection of a DLL with cryptographic functions.

After a quick coffee break, the next presentation was "Takedown client-server botnets the ISP-way" by Quảng Trần who is working for a Vietnamese ISP. Takedowns are important countermeasures in fighting botnets. Why is it so important from an ISP perspective? Because they need to protect their customers, their network and also respond to local law enforcement agencies requests. Quang explained the technique used to bring a botnet down: Once the IP & domains have been identified, the ISP can re-buy expired domains or perform domain / hosting termination. In this case, the major issue is that some ISP's are not always reactive. But for an ISP, it can be interesting to maintain the DNS, monitor the traffic, reroute it or perform DPI. The technique used is a sinkhole server that can serve multiple botnets via their own protocols and mimic their C&C via a set of plugins. With this technique, they can fake the C&C and send termination commands to the bots to bring the botnet down in a safe way. Interesting remark during the Q&A session: such kind of operation is illegal in many countries!

For the next talk, the topic was again "automation" and "machine learning". Sebastian Garcia presented "Detecting the Behavioural Relationships of Malware Connections". The idea of his research is not rely only on IOC's (that the only real info that we have today to fight against malwares and botnets). But, it is not performant enough with new malwares. Sebastian's ideas was to put more interests on network flows. Sometimes it can help but not always. What about checking the behaviour? He explained his project which produces indeed nice graphs:

Traffic Behaviour

It was not easy for me to follow this talk but the information shared looked very interesting. More information is available here.

The last talk had an attractive title: "Analysis of Free Movies and Series Websites Guided by Users Search Terms" by Martin Clauß and Luis Alberto Benthin Sanguino. The idea is to evaluate the risk to visit FMS websites. FMS means "Free Movies and Series". They are juicy targets to deliver malicious content to the visitors (millions of people visit such websites). The idea was to collect URLs visited while browsing to such websites and check if they are malicious or not. Classic targets are Flash Players but they are many others. How to reach FMS websites? Just search via Google. Search for your favourite singer, the latest Hollywood movie. The x first results were crawled and analysed via online tools like VT, Sucury, ESet, etc. The results are quite interesting. As you can imagine, a lot of web sites redirect to malicious content. Based on 18K pages analised, 7% were malicious (and 10% of the domains). Other interesting stats were reported like the singer which returned the biggest amount of malicious page or who's most targeted (Spanish people). Nice talk to finish the day.

Before the official reception, a lightning talks session was organised with 10 x 3 minutes about nice topics. That's enough for today, seen you tomorrow with more content!

[The post Botconf 2016 Wrap-Up Day #2 has been first published on /dev/random]

01 Dec 2016 11:43pm GMT

Lionel Dricot: L’argent doit-il être notre seul objectif ?

6313618891_67776d3ecb_o

En tant qu'humains, nous fonctionnons avec des objectifs. La mesure liée à cet objectif, que j'appelle « observable », peut pervertir complètement le système au point de le détourner de son objectif initial. J'ai introduit le concept dans « Méfiez-vous des observables » mais sachez que, dans notre société, l'observable par défaut est l'argent.

L'amour, le couple et le restaurant

Comme je l'ai expliqué à travers la fable des voitures en Observabilie, nous vivons dans un monde dont certains aspects sont difficiles à quantifier. Nous nous rabattons alors sur des « observables », faciles à mesurer. Mais si une observable est même très légèrement décorrélée de l'aspect original, le fait de mesurer va amplifier cette décorrélation jusqu'à l'absurde.

« Toute utilisation d'une observable imparfaitement liée à un objectif va tendre à maximiser la décorrélation entre cette observable et l'objectif »

Prenons un exemple simple : si vous souhaitez augmenter l'amour dans votre couple, l'amour est une donnée difficilement mesurable. Par contre, si votre conjoint remarque que vous vous invitez mutuellement plus souvent au restaurant lorsque vous êtes amoureux, vous pouvez décider de prendre le nombre de sorties gastronomiques par mois comme observable de votre amour.

Après quelques temps, vous serez sans même en avoir conscience encouragé à aller au restaurant le plus possible. Idéalement tous les soirs !

Serez-vous pour autant plus amoureux ? Dans le meilleur des cas, rien n'aura changé. Dans le pire, vous pourriez même détruire votre couple par cette absurde obsession des restaurants, vous prendrez du poids et dilapiderez vos économies.

Cela semble évident dans ce cas de figure mais pourtant nous le reproduisons en permanence avec une observable presqu'aussi absurde que le nombre de sorties au restaurant par mois. Une observable devenue universelle. L'argent !

L'argent, notre principale observable

Toute notre société, toutes nos valeurs nous poussent à maximiser l'argent.

Telle personne prétend que sa priorité dans la vie est d'éduquer ses enfants et va tout faire pour… gagner de l'argent afin de payer une école privée même si cela implique d'aller travailler à l'étranger en ne voyant ses enfants qu'une fois par mois.

Une autre veut vivre paisiblement dans un coin tranquille et va, en conséquence, travailler très dur dans une grande ville pendant des décennies afin de… "gagner assez pour arrêter de travailler".

Ces cas ne sont bien entendu pas universels et nombreuses sont les occasions où nous refusons un gain financier. Mais il est amusant de remarquer que lesdites occasions seront mûrement réfléchies et devront être justifiées de long et en large. Par défaut, gagner de l'argent est la situation la plus intéressante. Nous pousserons la perversité jusqu'à quantifier n'importe quoi, y compris notre bonheur, au moyen d'équivalents financiers.

L'argent est devenu une observable tellement universelle que même le bonheur se mesure en argent. Saviez-vous qu'aux États-Unis le fait de supprimer les trajets quotidiens maison-travail correspondait, en terme de bonheur, à une augmentation salariale de 40.000 dollars par an ? Le bonheur est donc quantifiable en dollars ? N'est-il pas choquant que l'un des arguments majeurs dans la prévention des suicides soit… le coût à la société d'un suicide (849.878 $ au Canada. C'est précis !) ? Une vie de moins importe peu. Par contre, si cela coûte, il faut agir !

Si nous voulons diminuer le nombre de suicide, ce serait uniquement pour économiser de l'argent !

Est-il tout simplement possible de convertir la douleur d'un suicide en une perte financière ? Et quelle conclusion devrait-on tirer si, par hasard, le calcul avait eu pour résultat qu'un suicide rapporte à la société ?

La disparition des abeilles est inquiétante ? Non, pas réellement. Mais il suffit d'affirmer que les pollinisateurs effectuent un travail évalué entre 2 et 5 milliards d'euros par an en France pour obtenir l'attention de l'auditoire. Ajoutons qu'ils créent 1.4 milliards d'emplois dans le monde et le tour est joué. Sans insectes pollinisateurs, nous crèverons littéralement de faim. Mais ce n'est pas grave. Ce qui est grave, ce serait de perdre des milliards d'euros et des emplois…

Même le manque de sommeil est monétisé et est estimé à 411 milliards de dollars par an pour l'économie américaine.

C'est d'ailleurs le piège dans lequel sont tombés les écologistes en prétendant que l'écologie était plus économique et permettrait de créer des emplois. Il suffit de leur répondre que, dans ce cas, le marché s'orientera naturellement vers la solution la plus écologique et qu'il ne faut surtout pas intervenir.

Tout comme compter le nombre de sorties au restaurant, l'argent est une observable bien pratique et, de plus, universelle. À quelques très rares exceptions, tous les êtres humains utilisent aujourd'hui de l'argent qui est convertissable en n'importe quelle autre monnaie.

L'impossibilité des objectifs multiples.

La sagesse populaire nous enseigne qu'à courir deux lièvres, on n'en attrape aucun. Et, inconsciemment, tout humain et toute institution humaine applique ce principe en ne maximisant qu'un seul et unique objectif.

Si plusieurs objectifs sont énoncés, tout le système optimisera l'objectif principal via son observable. Si cela permet d'atteindre également les autres objectifs, tant mieux. Sinon, et bien, par définition, un objectif secondaire cédera le pas face à l'objectif principal. Il s'ensuit que tout objectif secondaire est inutile : s'il est atteint, c'est par pure chance.

Or, comme nous venons de le voir, l'observable par défaut est l'argent. L'objectif par défaut devient donc le fait de s'enrichir.

On peut d'ailleurs remarquer que les personnes dont l'objectif principal n'est clairement pas s'enrichir détonnent dans notre société. Comme l'argent n'est qu'un moyen de subsistance pour eux, ils gagnent un strict minimum et se consacrent à un objectif qu'ils ont choisi en conscience. Ils paraissent rebelles, alternatifs, étonnants. Ironiquement, affirmer vouloir gagner de l'argent est souvent mal perçu. Gagner de l'argent est notre seul et unique objectif mais il faut le cacher, être hypocrite.

Sans une direction très forte et très claire posant une observable autre que l'argent, tout projet se tournera automatiquement vers le profit. Au mieux le projet deviendra commercial, au pire les membres s'entre-déchireront et tenteront de gagner ou de perdre le moins possible d'argent.

Créer un projet dont l'observable n'est pas l'argent implique donc un travail permanent d'affirmation d'un objectif principal et de l'observable qui lui est associée.

Si l'affirmation de cet objectif n'est pas assez forte, l'observable argent reprendra le dessus. Si l'observable commune manque ou est floue, les individus se baseront sur leur observable personnelle. Très souvent, il s'agira de l'argent. La cupidité individuelle détruira le projet ou, au moins, en détournera l'intention initiale.

Dans le monde du business et des entreprises, la question ne se pose même pas : le but d'une entreprise étant de faire de l'argent, tout autre objectif sera graduellement réduit et sera corrompu au moindre signe de conflit entre cet objectif secondaire et celui de gagner de l'argent. L'écologie, le bio, le social sont des exemples frappants : d'objectifs secondaires louables, ils sont devenus de simples arguments marketing, cachant parfois des pratiques d'un cynisme total. Dans le meilleur des cas, ces objectifs secondaires sont devenus des vœux pieux qui donnent bonne conscience aux travailleurs.

L'absurdité ultime : le PIB

Le parangon de l'absurdité des observables revient à la plus grande de nos institutions : l'état, pour qui l'observable principale est également devenu l'argent avec la mesure du PIB.

Je ne détaillerais pas l'absurdité du PIB, certains l'ont fait mieux que moi. Il suffit de savoir que si vous me payez 50€ pour creuser un trou et que je vous paye le même prix pour le reboucher, nous avons augmenté le PIB de 100€ alors que rien, absolument rien, n'a changé dans le monde. Ni le trou (qui est rebouché), ni nos comptes en banque respectifs.

Pourtant cette mesure est désormais celle qui contrôle absolument tout le reste. L'exemple le plus frappant nous vient de la Grèce : alors que la crise a poussé un nombre incalculable de grecs dans la misère la plus totale, que le taux de suicide est au plus haut et que la santé s'y détériore rapidement, personne ne s'en préoccupe réellement.

Mais que le gouvernement grec annonce peut-être prendre des mesures qui pourraient impacter le PIB des pays voisins et toute la classe politique s'indigne soudainement. Il faut vous y faire : votre seule utilité dans un tel système est de faire croître le PIB.

Identifiez l'objectif de votre interlocuteur

Une fois ce principe bien acquis, tout un univers qui semble absurde devient soudainement logique. Il suffit d'identifier l'objectif réel de votre interlocuteur. L'unique objectif d'un politicien, par exemple, sera d'être réélu. Toute action qu'il entreprend ne l'est que dans le seul et unique objectif de maximiser son observable : les voix reçues aux prochaines élections.

Tout argent public dépensé ne le sera donc que de deux manières possibles : soit parce que cela donne de la visibilité au politicien qui a pris la décision, soit parce que cela lui rapporte directement ou indirectement. C'est ce que j'ai appelé « la boucle d'évaporation ».

Tout employé payé à l'unité temporelle (heure, semaine, mois, …) aura pour unique objectif de justifier le temps qu'il passe. Si le travail se réduit au point de disparaître, l'employé fera tout, même inconsciemment, pour inventer une complexité permettant de justifier ce temps. Au contraire, toute personne payée au forfait aura pour unique objectif d'y passer le moins de temps possible.

Tout organe de presse financé par la publicité optimisera son fonctionnement pour maximiser l'exposition de son audience à la publicité. Si cette audience se mesure en "clics", alors l'organe de presse se transformera en machine à générer des clics, quel que soient les idéaux sincères des personnes qui composent l'organe de presse.

Notons bien que tout ceci n'est ni positif, ni négatif. C'est juste un fait mécanique et, pour moi, inéluctable.

« Toute organisation humaine tend naturellement vers la maximisation du profit des personnes contrôlant l'organisation ».

Si vos objectifs sont en alignement avec ceux de votre interlocuteur, tout va très bien. Si par exemple vous souhaitez organiser un bal populaire, que vous demandez des subsides et que vous proposez à un politicien de devenir le « parrain » du bal et d'y faire un discours, vos objectifs seront alignés et vous obtiendrez plus que probablement le subside.

Et vous, quel est votre observable ?

L'argent est-il le seul et unique observable universel ? Peut-être. Dans tous les cas, c'est aujourd'hui le plus courant et le plus utilisé. Il faut donc en tenir compte sans le rejeter en bloc. Construire une société sans argent me semble une utopie irréalisable et probablement pas souhaitable.

Par contre, au niveau individuel, nous sommes bien peu à considérer l'argent comme le seul moteur de notre vie. Pourtant, par facilité, nous nous y abandonnons. Nous travaillons plus pour gagner plus. Nous repoussons les prises de risque qui pourraient nous faire perdre de l'argent.

Confronté à cette réalité, nous avons tendance à camoufler. À brandir des objectifs secondaires, des déclarations d'intention. À nous tromper nous-mêmes.

Mais alors, quel est l'observable de nos vrais objectifs personnels, ceux que nous n'avons jamais pris la peine d'explorer, de conscientiser ?

Car si nous voulons changer le monde et nous changer nous-même, il faut se fixer un réel objectif principal avec une observable digne de lui.

Photo par Glenn Halog.

Ce texte est a été publié grâce à votre soutien régulier sur Tipeee et sur Paypal. Je suis @ploum, blogueur, écrivain, conférencier et futurologue. Vous pouvez me suivre sur Facebook, Medium ou me contacter.

Ce texte est publié sous la licence CC-By BE.

01 Dec 2016 12:31pm GMT

30 Nov 2016

feedPlanet Grep

Xavier Mertens: Botconf 2016 Wrap-Up Day #1

This is already the fourth edition of the Botconf security conference, fully dedicated to fighting malware and botnets. Since the first edition, the event location changed every year and it allowed me to visit nice cities in France. After Nantes, Nancy and Paris, the conference invaded Lyon. I arrived yesterday in the evening and missed the workshop (four of them were organised the day before the conference). The first started smoothly with coffee and pastries. What about this edition? Tickets were sold out for a while (300 people registered) and the organisation remains top. Eric Freysinnet did the open session with the classic information about the event. About the content, there is something important at Botconf: some talks contains touchy information and cannot be disclosed publicly. The organisers take the TLP protocol seriously. Each speaker is free to refuse to be recorded and his/her presentation to be covered on Twitter or blog (this is part of their social media policy. Of course, I'll respect this. Last Eric's remark: "No bad stuff on the wifi, there are some people from French LE in the room!" 😉

After Eric's introduction, the first slot was assigned to Jean-Michel Picot from Google (with the collaboration of many others Googlers) who presented "Locky, Dridex, Recurs: the Evil Triad". He presentation how those malicious codes are seen from a Gmail perspective. As said above, I respect the speaker's choice: this talk was flagged as TLP:RED. It was interesting but (too?) short and some questions from the audience remained unanswered by the speaker/Google. More information could be found about their research here. For me, nothing was really TLP:RED, nothing touchy was disclosed.

The next talk was called "Visiting the Bear's Den" by Jean-Ian Boutin, Joan Calvet and Jessy Campos (the only speaker present on stage). The "Sednit" group (also known as APT28, Fancy Bear or Sofacy) has been active since 2004. It is very active and famous.The analysis of Sednit started with a mistake from the developers: they forgot to set the "forgot" field on bit.ly. The URL shortener service was indeed used to propagate their malicious links. Basically, Sednit uses an ecosystem based on tens of software components like RAT's, backdoor, keyloggers, etc). To explain how Sednit works, Jessy had a good idea to tell the story of a regular user called Serge. Serge is working for a juicy company and could be a nice target.

09:30 AM, Monday morning, Serge arrives at the office and reads his emails. In one of them, there is a link with a typo error and an ID to identify the target. Serge meets then SEDKIT (the exploit kit). On the landing page, his browser details are disclosed to select the best exploit to infect him. Serge's computer is vulnerable and he visits the SEDNIT Exploit Factory. The exploit downloads a payload and Serge meets now the SEDUPLOADER. The dropper uses anti-analysis techniques, drops the payload, performs privilege escalation and implements persistence.

10:00 AM: Serge is a victim. SEDRECO deployment.

02:00 PM: Serge meets XAGENT (the modular backdoor). At this step, Jessi explained how communications are performed with the C&C. It works via SMTP. Messages are sent to created or stolen mailboxes and the C&C retrieves the messages:

Victim > SMTPS > Gmail.com < POP3S < C&C > SMTPS > Gmail.com < POP3S < Victim

What's happening during the next three days? Modules are executed to steal credentials (via Mimikatz!), registry hives are collected. Note that multiple backdoors can be installed for redundancy purposes. Finally, lateral movement occurs (pivoting)

Friday, 11:00AM, long term persistence is implemented via a rogue DLL called msi.dd which is used by Microsoft Office. When an Office component is started, the rogue DLL is loaded then loads the original one (they offer the same functions). Finally, the DOWNDELPH bootkit was explained. This was a very interesting talk with many information. For more information, two links: the research paper and a link to Sednit IOC's if you are interested in hunting.

After the lunch break (which was very good as usual at Botconf), Vladimir Kropotov and Fyodor Yarochkin presented "LURK - The Story about Five Years of Activity". Sednit was covered in the morning and this talk was almost the same but about "LURK". It is a banking trojan targeting mainly Russia and the group behind it is active for a few years. The research was based on the analyse of proxy logs. It was first detected in 2011 and was the first to have a payload residing in memory (no traces, no persistence). It is easy to identify because malicious URLs contains the following strings:

Those can be easily detected via a simple regular expression. Vladimir & Fyodor reviewed the different waves of attacks and how they infected victims from 2012 to 2014. A specific mention for the "ADDPERIOD" abuse which is a flag set to a domain during registration. When the owner would like to cancel the DNS, the price can be refunded. Web sites are infected via memcache cache poisoning or an extra module added to the Apache web server.How to infect websites? Note that, in 2012, No antivirus on VT was able to flag LURK samples as malicious (score: 0). The talk ended with a video recorded by the Russian police when the LURK owners were arrested.

Then Andrey Kovalev and Evgeny Sidorov presented "Browser-based Malware: Evolution and Prevention". This is not a new type of attack. MitB ("Man in the Browser") is an attack where hooked interaction changes the information on the rendered page like adding some Javascript code). Targets are banking sites, mail providers or social networks. In 2013, there was already a talk proposed by Thomas Siebert from GData about this topic). There are many drawbacks with this kind of attack:

So, can we speak about MitB-NG or MitB 2.0? They are performed via malware or adware browser extensions, WFP or remote proxies. Don't forget VPN end-point or Tor exit-nodes that can inject code! The next part of the talk was dedicated to the Eko backdoor and SmartBrowse. So, what about dDetection and prevention? CSP ("Content Security Policy") usually used to make XSS harder can be useful. JavaScript validation can be implemented in code. The JS checks the page integrity (like file hashes). Conclusions: there are new challenges ahead and the extension stores should implement more checks. Finally, browser developers should pay more attention to mechanisms to protect users from rogue extensions (with signatures), AV should give more focus on extension and not only droppers.

The next talk was titled "Language Agnostic Botnet Detection Based on ESOM and DNS" and is the result of the research performed by a team: Urs Enliser, Christian Dietz, Gabi Drei and Rocco Mäandrisch. The talk started with the motivations to perform such research. Most malware uses DGA or "Domain Generation Algorithm". If this algorithm can be reversed (sometimes it is), we are able to generate the list of all domains and build useful lists of IOC's. The approach presented here was different. Why not use ESOM ("Emergent Self-Organising Maps") to try to detect malicious domains amongst all the DNS traffic? The analysis was based on the following steps:

Here is an example of ESOM output:

SOM Example

The magic behing ESOM was explained but, for newbies like me, it was difficult to follow. I'd like to get a deeper introduction about this topic. The research is still ongoing but it looks promising.

The afternoon coffee break was welcome before the last set of presentations. Victor Acin and Raashid Bhat came on stage to present "Vawtrak Banking Trojan : A Threat to the Banking Ecosystem". Vawtrak is in the wild for a while. It is performing MitB (see above) and is very modular & decentralised. Know before as Neverquest. The malware internals were reviewed (LZMAT compression, 32 & 64 bits versions, XOR encoding, etc) as well as the configuration containing C&C servers, botnet configuration, version, sign keys). By default, it injects itself into explorer.exe and iexplore.exe then in the child processes. After a review of the infection processes and all techniques used, the speakers reviewed the communications with the C&C. Vawtrak is a modular trojan. Multiple plugins provide opcode / API interface. Some statistics were disclosed and look very impressive:

Then, Wayne Crowder presented "Snoring Is Optional: The Metrics and Economics of Cyber Insurance for Malware Related Claims". Not a technical talk at all but very interesting! Wayne's exercise was to try to talk about botnets not from a technical point of view but from a cyber-insurance point of view. An interesting statistics reported by Wayne:If

If cybercrime had been a US company in 2014 it would have been the 2nd largest…

From an insurance perspective, more malware samples mean more risks of data leak and more costs for the company. Insurance drives safety & security in many domains and it will follow this trend in cyber security for sure. What's covered? Data theft (PII, cards, health data,), malwares, DDOS, hacking, business interruption, phishing, extortions, mistakes. What must cover a good policy?

Cyber Risks

The talk was clearly based on the US market and Wayne gave a lot of statistics. But, keep in mind that this could change in the EU zone with the new notification law coming in 2018 (GDPR) . Wayne also reviewed several cases where cyber insurance was involved (with nice names like Sony, Target, hospital ransomware, …). Not that not everything is covered (brand, reputation, state sponsored hacking). Very interesting and I'm curious to see how the cyber-insurance market will evolve in the (near) future.

The last talk was "Hunting Droids from the Inside" by Lukas Siewierski, also from Google. This was given again under TLP:RED.

That's all for the first day and stay tuned for a new wrap-up. Don't forget that some talks are streaming live via Youtube.

[The post Botconf 2016 Wrap-Up Day #1 has been first published on /dev/random]

30 Nov 2016 10:31pm GMT

27 Nov 2016

feedPlanet Grep

Jeroen De Dauw: Final Rush Pro 5

I'm happy to announce the immediate availability of the Final Rush Pro 5 map for Supreme Commander Forged Alliance Forever. During the past few weeks I've been reworking version 4 of the map, and have added many new features, fixed some bugs and improved balance in the team vs team modes.

final-rush-pro-5-largeVersion 4 has a Game Mode setting with Paragon Wars, Survival Versus, Normal and 4 different difficulties of Survival Classic. Version 5 has a dedicated Survival Difficulty setting, so it's not possible to change the difficulty for Survival Versus. Furthermore, a ton of new lobby options have been added that allow changing the delay of the various tech level waves, their frequency, how quickly the units should gain health, how often random events should happen, etc. This gives you much greater control over the difficulty in all survival modes, and adds a lot of replayability by enabling alteration of the nature of the challenge the map provides.

The team vs team modes, Survival Versus and Paragon Wars, both had some serious balance issues. In Survival Versus, random events and bounty hunters would attack a random player. While that works fine in Survival Classic, in the modes with two teams, it makes things unfairly harder for a single team. I've observed this several times, where suddenly one team gets whacked by a few random events even though they where doing better than the other team. In this new version, random events and bounty hunters target a random player from each team.

In Paragon Wars, the issue was that the civilian base protecting the Paragon Activator would be randomly constructed. Within a certain bounding box, the Paragon Activator and a bunch of defensive structures would spawn. This means the Activator could be at the far side of the bounding box, and the defenses mostly on the other side, making it a lot easier for one team to approach the Activator than for the other. Now the base is entirely symmetrical (using a circular layout) and spawns at the exact center of the map.

Version 4 had 6 working lobby options, while version 5 has 23. Besides the new difficulty related options, it is now possible to turn off aspects of the game. For instance, you can now completely disable random events, MMLs and "aggression tracking" (punishing of fast tech, high eco and aggressive ACU placement).

Some significant bugs where fixed, most notably Paragon Wars not working correctly when playing with less than 8 people. You can now play it 2v2, 4v1 or however else you see fit. Another thing that was fixed is the Auto Reclaim option, so there is no more need for the Vampire mod. Unlike the mod, this option allows you to specify how much resources you should get, all the way from none, to over 9000% (that is an actual value you can select yes).

Another mod that is no longer needed is the FinalRushPro3 itself. You now just need the map, and it will function properly without any mods. Due to removing integration with the FinalRushPro3 mod, the special UI is no longer present. In a lot of cases it did not work properly anyway and just took up space, and I've not gotten around to making a better replacement yet.

You can download the map as a zip. Unfortunately the FAF map vault infrastructure is rather broken, so I've not been able to upload the map to the vault. Hopefully this gets resolved soon.

For a full list of changes, see the readme. I got a number of ideas for future enhancements, which might become part of a version 5.1, 5.2, etc. Feel free to submit your own feature requests!

If you're interested in how I went about creating version 5 from a technical point of view, see my post on Refactoring horrible Lua code.

27 Nov 2016 5:06pm GMT

26 Nov 2016

feedPlanet Grep

FOSDEM organizers: Keysigning: submit your keys

Our keyserver is now accepting submissions for the FOSDEM 2017 keysigning event. The annual PGP keysigning event at FOSDEM is one of the largest of its kind. With more than one hundred participants every year, it is an excellent opportunity to strengthen the web of trust. For instructions on how to participate in this event, see the keysigning page. Key submissions close a week before FOSDEM (27 January), to give us some time to generate and distribute the list of participants. Remember to bring a printed copy of this list to FOSDEM.

26 Nov 2016 3:00pm GMT

Lionel Dricot: Laprimaire.org, une expérience de démocratie

3980024175_dbea388555_o

Étymologiquement, la démocratie signifie le pouvoir par le peuple. Elle s'oppose à l'aristocratie où le pouvoir est détenu par une minorité.

Dans la société d'aujourd'hui, force est de constater que ce que nous appelons démocratie n'en est pas une. Le pouvoir réel est toujours détenu par une minorité.

Mais, contrairement à une aristocratie traditionnelle héréditaire, l'aristocratie moderne est désormais choisie par le peuple à travers le processus électoral. Nous vivons dans une aristocratie démocratiquement représentative, le processus électoral nous permettant de nous affubler du titre de « démocratie ».

Les faiblesses des élections

Comme je le soulignais dans « Et si on tuait le parti pirate ? », se faire élire et être un élu sont deux métiers fondamentalement différents voire antagonistes. Ceux qui maîtrisent l'art de se faire élire vont conquérir le pouvoir et s'y maintenir, quelles que soient leurs actions. Notre système est donc complètement inféodé aux faiblesses du processus électoral choisi.

Deux qualités sont essentielles pour être élus : la popularité et l'accès à l'argent, l'argent permettant d'acheter la popularité à travers les campagnes électorales. L'élection va donc favoriser l'émergence de personnages riches, représentants les intérêts d'autres riches et étant maîtres dans l'art de l'apparence ou du détournement de l'attention à travers un programme aussi inutile que mensonger.

Les méthodes de calcul des résultats électoraux, elles-mêmes, vont avoir un poids définitif. Ainsi, le système à deux tours français va avoir tendance à tuer tout candidat favorisant le compromis ou l'innovation au profit de celui qui sera inacceptable pour 49% des électeurs mais suffisant pour 51%.

Aux États-Unis, le système des grands électeurs permet l'élection d'un président moins populaire que son adversaire. Deux fois (Bush vs Gore en 2000 et Trump vs Clinton en 2016), le gagnant ne l'est devenu qu'en emportant de manière très suspecte l'état de Floride.

Ce que nous appelons démocratie est donc un ensemble de règles donnant le pouvoir à celui qui saura le mieux les exploiter, légalement ou illégalement.

Le futur de la démocratie

Comme je le décris dans mes billets « Il faudra la construire sans eux » et « Obéir, lire, écrire, les trois apprentissages de l'humain », je pense que nous sommes arrivés à un tournant de l'histoire.

Après l'aristocratie et l'aristocratie démocratiquement représentative (plus communément appelée « démocratie »), il est temps de réinventer une nouvelle forme de gouvernance.

Selon moi, cette post-démocratie sera fondée sur les outils technologiques de son époque, à savoir Internet et la blockchain. Les expériences de démocratie liquide nous ouvrent la voie en ce sens.

Cependant, cette (r)évolution n'est pas encore là et il faut bien composer avec le système en place. Comment apporter de nouvelles idées dans un système structurellement construit pour favoriser le conservatisme ?

Le candidat Jean-Luc Mélenchon, par exemple, promet s'il est élu de former une assemblée constituante puis de démissionner. Dans l'idée, c'est évidemment magnifique. Mais Mr Mélenchon reste un homme politique traditionnel issu d'un parti traditionnel cherchant avant tout à défendre des valeurs. Cette défense de valeurs pourrait être en conflit avec la mise en place d'un nouveau système.

L'expérience de laprimaire.org

Tenter d'utiliser les outils modernes pour perturber, même légèrement, le système en place, c'est exactement ce que tente de faire laprimaire.org pour les élections présidentielles françaises de 2017.

Le principe est assez simple : un règlement fixé à l'avance pour désigner un candidat unique, un candidat issu du net et choisi par tous les citoyens qui le souhaitent.

Début 2016, tout citoyen français pouvait se déclarer candidat. Afin d'être sélectionné pour le second tour, il fallait obtenir 500 soutiens d'autres citoyens français. Une barrière arbitraire, certes, mais facilement franchissable pour qui avait la motivation de devenir réellement candidat.

Sur 215 candidats déclarés, ils furent 16 à passer le cap des 500 soutiens. Tous les citoyens inscrits sur laprimaire.org ont ensuite été appelés à choisir leurs 5 candidats préférés parmi les 16 qualifiés à travers un processus se basant sur le « jugement majoritaire ».

De ces 5 candidats, un seul sera finalement choisi comme le candidat de laprimaire.org pour se présenter réellement aux présidentielles. Mais les organisateurs avaient fixé une limite minimale de 100.000 citoyens inscrits avant de poursuivre l'aventure.

Ils sont actuellement près de 97.000. Alors, si vous êtes citoyen français, vous savez ce qu'il vous reste à faire pour voir se présenter un candidat à la présidentielle issu non pas d'un parti mais bien d'un processus citoyen innovant.

Même si ce candidat n'a aucune chance, sa simple présence sur les bulletins de vote assurera une incroyable publicité au fait que, oui, Internet permet désormais un nouveau mode de gouvernance. Que nous avons faim de remises en question, d'idées nouvelles, d'explorations. Que nous souhaitons prendre en main notre destin !

Laprimaire.org n'est certainement pas parfaite mais c'est une expérience réelle qui innove, qui essaie et qui s'ouvre à toute les tendances politiques. Étant belge, je ne peux participer mais je recommande chaudement à mes lecteurs français de s'inscrire.

Vite, il ne vous reste que deux semaines !

Photo par Will Keightley.

Ce texte est a été publié grâce à votre soutien régulier sur Tipeee et sur Paypal. Je suis @ploum, blogueur, écrivain, conférencier et futurologue. Vous pouvez me suivre sur Facebook, Medium ou me contacter.

Ce texte est publié sous la licence CC-By BE.

26 Nov 2016 11:36am GMT

25 Nov 2016

feedPlanet Grep

Dries Buytaert: Back to school

Back to school Dries Fri, 11/25/2016 - 16:58

Topic
Startup lessons

Last week I presented at the University of Antwerp, my alma mater. I was selected to be the 2016/2017 ambassador of the alumni and was asked to talk about my career and work. Presentations like this are a bit surreal because I still feel like I have a lot to learn and accomplish. Deep down I'll always be searching for something more. I want my life and career to be meaningful and creative, and full of laughter and friends. This presentation was very special as it was attended by my parents, friends from high school and college, professors whose classes I attended 20 years ago and the university's rector or chancellor, Herman Van Goethem. It was great to laugh and catch-up with old friends and family, and it felt meaningful to share some of my lessons learned to a group of young students.

Antwerp university presentation
The university's rector or chancellor, Herman Van Goethem, introducing me.
Antwerp university presentation
My parents sitting on the front row.
Antwerp university presentation
Antwerp university presentation
Antwerp university presentation
Antwerp university presentation
Me with some of my friends from high school that I hadn't seen in 20 years!

Add new comment

25 Nov 2016 3:58pm GMT

Dries Buytaert: Back to school

Last week I presented at the University of Antwerp, my alma mater. I was selected to be the 2016/2017 ambassador of the alumni and was asked to talk about my career and work. Presentations like this are a bit surreal because I still feel like I have a lot to learn and accomplish. Deep down I'll always be searching for something more. I want my life and career to be meaningful and creative, and full of laughter and friends. This presentation was very special as it was attended by my parents, friends from high school and college, professors whose classes I attended 20 years ago and the university's rector or chancellor, Herman Van Goethem. It was great to laugh and catch-up with old friends and family, and it felt meaningful to share some of my lessons learned to a group of young students.

Antwerp university presentation

The university's rector or chancellor, Herman Van Goethem, introducing me.

Antwerp university presentation

My parents sitting on the front row.

Antwerp university presentation
Antwerp university presentation
Antwerp university presentation
Antwerp university presentation

Me with some of my friends from high school that I hadn't seen in 20 years!

25 Nov 2016 3:58pm GMT

Xavier Mertens: [SANS ISC Diary] Free Software Quick Security Checklist

I published the following diary on isc.sans.org: "Free Software Quick Security Checklist".

Free software (open source or not) is interesting for many reasons. It can be adapted to your own needs, it can be easily integrated within complex architectures but the most important remains, of course, the price. Even if they are many hidden costs related to "free" software. In case of issues, a lot of time may be spent in searching for a solution or diving into the source code (and everybody knows that time is money!)… [Read more]

[The post [SANS ISC Diary] Free Software Quick Security Checklist has been first published on /dev/random]

25 Nov 2016 11:34am GMT