• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] Apple at Black Hat
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Apple at Black Hat

  • Subject: Re: [Fed-Talk] Apple at Black Hat
  • From: Todd Heberlein <email@hidden>
  • Date: Tue, 24 Jul 2012 10:08:34 -0700
Ah, it is so easy to get scooped in the fast moving technology world, but I'm glad I was this time.

I was thinking about building a prototype to do this and making another podcast on it, but I worried about providing a roadmap (if one didn't already exist). Now I don't have to worry about it. The roadmap is being presented at Black Hat this week.

The gist: Botnets and APTs typically use a command & control server to post commands and receive results. Netflows has been seen as a good way to detect the C&Cs and/or determine which systems in your network have been compromised. Similarly, shutting down the attack involves shutting down the handful of C&C servers, as FireEye has been trumpeting this week with the Grum Botnet.

But any web site or content channel that allows users to contribute data can server as a C&C server. Think Facebook, Flickr, twitter, usenet, and mailing lists like this one. This make "shutting down the server" pretty much impossible. It also makes detection much harder because lots of your computers make connections to these sites all the time. Which ones are legitimate and which ones are C&C connections? Add in steganography (e.g., embedding commands and results to pictures posted on Flickr), and it really becomes difficult to detect, determine which systems have been compromised, and shutting the attack down.

Anyways, it is surprisingly simple and the implications are pretty scary. I'm glad these guys are presenting it though. It is something we need to think about.

SNSCAT: WHAT YOU DON'T KNOW ABOUT SOMETIMES HURTS THE MOST
http://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Gunter


Todd

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >[Fed-Talk] Apple at Black Hat (From: Todd Heberlein <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] Apple at Black Hat
  • Next by Date: [Fed-Talk] Mountain Lion install drive
  • Previous by thread: Re: [Fed-Talk] Apple at Black Hat
  • Next by thread: [Fed-Talk] Mountain Lion install drive
  • Index(es):
    • Date
    • Thread