search menu icon-carat-right cmu-wordmark

Archive: 2014

Vulnerability Coordination and Concurrency Modeling

Vulnerability Coordination and Concurrency Modeling

• CERT/CC Blog
Allen Householder

Hi, it's Allen. In addition to building fuzzers to find vulnerabilities (and thinking about adding some concurrency features to BFF in the process), I've been doing some work in the area of cybersecurity information sharing and the ways it can succeed or fail. In both my vulnerability discovery and cybersecurity information sharing work, I've found that I often learn the most by examining the failures -- in part because the successes are often just cases...

Read More
Domain Name Parking

Domain Name Parking

• CERT/CC Blog
Jonathan Spring

Hello, this is Jonathan Spring with my colleague Leigh Metcalf. Today, we're releasing a CERT/CC whitepaper on our investigations into domain name parking. The title summarizes our findings neatly: "Domain Parking: Not as Malicious as Expected." First, let's review some definitions to make sure we're all on the same page. Domain parking is the practice of assigning a nonsense location to a domain when it is not in use to keep it ready for "live"...

Read More
Vulnerability Discovery for Emerging Networked Systems

Vulnerability Discovery for Emerging Networked Systems

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder here. I want to introduce some recent work we're undertaking to look at vulnerability discovery for emerging networked systems (including cyberphysical systems like home automation, networked cars, industrial control systems and the like). In this post I cover the background and motivation for this work, our approach, and some preliminary findings. In future posts I will cover additional results from this effort....

Read More
Domain Blocking: The Problem of a Googol of Domains

Domain Blocking: The Problem of a Googol of Domains

• CERT/CC Blog
Jonathan Spring

Hi all, this is Jonathan Spring. I've written a bit about some challenges with blacklisting, such as about the dynamics of domain take-down: why e-crime pays (domains are so cheap it almost always pays) and comparisons among blacklists (they are largely disjoint, calling into question comprehensiveness)....

Read More
Smart Collection and Storage Method for Network Traffic Data

Smart Collection and Storage Method for Network Traffic Data

• CERT/CC Blog
Angela Horneman

Hi, this is Angela Horneman from the CERT Situational Awareness Analysis team. Recently, Nathan Dell and I were asked to explore ways to improve network traffic data storage by determining what data to store to meet organizational needs. Our research, brainstorming, and discussions led us to create a methodology to help organizations determine what types of traffic to collect and what parts of the collected traffic to keep....

Read More
A Subversive Use of SiLK

A Subversive Use of SiLK

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf. In this blog post I talk about a subversive use of SiLK, the open-source tool suite designed by the CERT/CC team at the SEI, available on the CERT website. This post is a technical walk through of how to use the SiLK tools to support analysis in interesting ways you may not have thought of....

Read More
Probable Cache Poisoning of Mail Handling Domains

Probable Cache Poisoning of Mail Handling Domains

• CERT/CC Blog
Jonathan Spring

Hi, this is Jonathan Spring with my colleague Leigh Metcalf. For some time now, we've been working through a problem we found, but it's time to discuss it more broadly. Using our passive DNS data source, we can observe cache poisoning. What we really observe are changes in the answers that are returned for certain domains, but after consulting with various experts, we believe the only behavior these changes indicate is a successful cache poisoning...

Read More
Announcing CERT Tapioca for MITM Analysis

Announcing CERT Tapioca for MITM Analysis

• CERT/CC Blog
Will Dormann

Hi folks, it's Will. Recently I have been investigating man-in-the-middle (MITM) techniques for analyzing network traffic generated by an application. In particular, I'm looking at web (HTTP and HTTPS) traffic. There are plenty of MITM proxies, such as ZAP, Burp, Fiddler, mitmproxy, and others. But what I wanted was a transparent network-layer proxy, rather than an application-layer one. After a bit of trial-and-error investigation, I found a software combination that works well for this purpose....

Read More
Bundled Software and Attack Surface

Bundled Software and Attack Surface

• CERT/CC Blog
Will Dormann

Hi, it's Will. We are all probably annoyed by software that bundles other applications that we didn't ask for. You want a specific application, but depending on what the application is, where you downloaded it from, and how carefully you paid attention to the installation process, you could have some extra goodies that came along for the ride. You might have components referred to as adware, foistware, scareware, potentially unwanted programs (PUPs), or worse. Sure,...

Read More
Investigating Advanced Persistent Threat 1

Investigating Advanced Persistent Threat 1

• CERT/CC Blog
Deana Shick

Hi this is Deana Shick and Angela Horneman from the Threat Analysis and Situational Awareness teams. In this post we introduce our recently published technical report Investigating Advanced Persistent Threat 1, which shows the value of combining several unclassified datasets to explore known indicators of compromise (IOC)....

Read More
Why Cybersecurity Is Not Like the Immune System

Why Cybersecurity Is Not Like the Immune System

• CERT/CC Blog
Jonathan Spring

The idea of a cyber-immune system sometimes circulates through the community. It seems that such proposals either do not properly frame how the immune system works, how good computer security would work, or both. I'm going to try to put both of those in context in order to make clear why cybersecurity is not like the immune system, but why it would be nice if it were....

Read More
10 Years of FloCon

10 Years of FloCon

• CERT/CC Blog
George Jones

Hi, this is George Jones, I was conference chair of the 10th annual FloCon Conference that was held in Charleston, South Carolina, January 13-16, 2014. Check out the FloCon proceedings to learn about the work presented, and consider participating in future FloCons....

Read More
Taking Control of Linux Exploit Mitigations

Taking Control of Linux Exploit Mitigations

• CERT/CC Blog
Will Dormann

Hey, it's Will. In my last two blog entries, I looked at aspects of two exploit mitigations (NX and ASLR) on the Linux platform. With both cases, Linux left a bit to be desired. In this post, I will explain how to add further exploit protections to Linux....

Read More
Differences Between ASLR on Windows and Linux

Differences Between ASLR on Windows and Linux

• CERT/CC Blog
Will Dormann

Hi folks, it's Will again. In my last blog entry, I discussed a behavior of NX on the Linux platform. Given that NX (or DEP as it's known on the Windows platform) and Address Space Layout Randomization (ASLR) work hand-in-hand, it's worth looking into how ASLR works on Linux. As it turns out, the implementation of ASLR on Linux has some significant differences from ASLR on Windows....

Read More
Feeling Insecure? Blame Your Parent!

Feeling Insecure? Blame Your Parent!

• CERT/CC Blog
Will Dormann

Hey, it's Will. I was recently working on a proof of concept (PoC) exploit using nothing but the CERT BFF on Linux. Most of my experience with writing a PoC has been on Windows, so I figured it would be wise to expand to different platforms. However, once I got to the point of controlling the instruction pointer, I was surprised to discover that there was really nothing standing in the way of achieving code...

Read More
Practical Math for Your Security Operations - Part 3 of 3

Practical Math for Your Security Operations - Part 3 of 3

• CERT/CC Blog
Vijay Sarvepalli

Hi, this is Vijay Sarvepalli, security solutions engineer in the CERT Division again. In the earlier blog entries for this series, I introduced set theory and standard deviation. This blog entry is about entropy, a physics principle that has made its way into many mathematical applications. Entropy has been applied in many informational science topics. In this blog post, I introduce a way to use entropy to detect anomalies in network communications patterns....

Read More