Url Shorteners Malware Factory 24 Chinese - Volume 1, Issue 3, July 2010 www.hackinthebox.org
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Volume 1, Issue 3, July 2010 www.hackinthebox.org Chinese Malware Factory 24 Url Shorteners Made My Day! 68 Cover Story Using Kojonet Open Source Low Interaction Honeypot 4
Advertisement
Editorial Volume 1, Issue 3, July 2010
Dear Reader,
Welcome to Issue 003 of the HITB Magazine!
We’re really super excited about the release of this issue as it
coincides with our first ever HITB security conference in Europe -
HITBSecConf2010 - Amsterdam!
The design team has come up with (what we feel) is an even
better and more refined layout and our magazine now has its own
site! You’ll now find all the past and current issues of the magazine
for download at http://magazine.hitb.org or http://magazine.
hackinthebox.org/.
Also in conjunction with our first European event, we have lined
up an interview with Dutch master lock picker and founder of The
Editor-in-Chief
Zarul Shahrin
Open Organization of Lock Pickers (TOOOL) Barry Wels.
Editorial Advisor
We hope you enjoy the issue and do stay tuned for Issue 004
which we’ll be releasing in October at HITBSecConf2010 -
Dhillon Andrew Kannabhiran
Malaysia. In addition to the electronic release, we’re hoping to Technical Advisor
have a very ‘limited edition’ print issue exclusively for attendees of
HITBSecConf2010 - Malaysia!
Gynvael Coldwind
Design
Enjoy the summer and see you in October! Shamik Kundu
Website
Dhillon Andrew Kannabhiran
Bina
Editorial Advisor Hack in The Box – Keeping Knowledge Free
dhillon@hackinthebox.org http://www.hackinthebox.org
http://forum.hackinthebox.org
http://conference.hackinthebox.org
Contents
information security COVER STORY Non-Invasive Invasion
Using Kojonet Open Source Low Making the Process Come to You 48
Interaction Honeypot 4
IAT and VMT Hooking Techniques 62
A Brief Overview on Satellite Hacking 16 web Security
Malware Analysis URL Shorteners Made My Day! 68
Chinese Malware Factory 24 book review
Windows Security ModSecurity Handbook 76
Reserve Objects in Windows 7 34 interview
application Security Barry Wels 78
Javascript Exploits with Forced
Timeouts 42
information security
Using Kojonet
Open Source
Low Interaction
Honeypot to
Develop Defensive
Strategies and
Fingerprint Post
Compromise
Attacker Behavior
By Justin C. Klein Keane, justin@madirish.net
In attempting to defend against intruders and
protect assets using defense in depth principle it is
critical to not only understand attacker motivations,
but also to be able to identify post-compromise
behavior. Utilizing data that identifies attacker
trends it may be possible to prevent compromises.
Furthermore, information about resource usage
and patterns may allow system administrators
to identify anomalous activity in order to detect
compromises shortly after they occur.
4 HITB Magazine I july 2010 july 2010 I HITB Magazine 5
information security information security
H
oneypots can be used to monitor word guessing attacks against SSH servers. tions for deploying a honeypot. Some honey- the overhead of configuring and deploying
attacker behavior during and af- Much like port scanning3, SSH brute force at- pots are deployed to distract attackers from honeypots7, tools designed to significantly
ter compromise of a system set up tacks have become a part of the background more valuable assets and to waste attacker streamline post compromise analysis simply
for this express purpose. Although noise of the internet. Virtually any adminis- resources on “fake” targets. This strategy is do not yet exist. Without adequate time and
we can only guess at attacker motivation, trator running an SSH server need look no of debatable merit as there is little chance suitable analysts much of the value of honey-
through traffic analysis we are able to infer further than their SSH server logs to find evi- of accurately gauging the success of such a pots is lost.
the types of resources that attackers consider dence of password guessing attacks. honeypot, especially if compromise of legiti-
valuable. The preponderance of log evidence mate assets goes undetected. Another use For all of these reasons honeypots should only
of failed SSH attempts by unknown users im- SSH BRUTE FORCE ATTACKS of the honeypot is as a type of early warning be deployed with extreme caution and only
plies that SSH servers are assets to which at- Given the preponderance of SSH brute force system. If the honeypot detects malicious after consultation with others within your or-
tackers are attempting to gain entrance. attacks it is worthwhile to explore the motiva- traffic from an asset within the organization ganization to determine acceptable risk.
tions of attackers. Unfortunately, without any a compromise can be inferred. Where the
By deploying honeypots that simulate re- data, these motivations remain a mystery. In honeypot returns its most value, however, is High Interaction Honeypots
sources we know attackers will target, name- order to attempt to understand the goals of when exposed to the internet in order to ob- Traditional honeypots consist of full systems
ly SSH servers, we are able to catalog post attackers, or defend against them, it becomes serve and analyze attack traffic and attacker that are set up and configured from the hard-
compromise behavior. Because certain hon- necessary to collect concrete data about SSH behavior independent of an organization’s ware layer up to the application layer. Such a
eypots present inherent risks, utilizing soft- brute force attacks. internal configuration.
ware based, low interaction, honeypots we
can mitigate risk while still providing a rich One goal of collecting data about brute force
target environment within which to collect attacks is to fingerprint post compromise be-
There are a number of reasons why honeypots
are difficult to deploy in this last mode. In ad-
Low interaction honeypots were
data about attacker activity. havior. We assume that the goals of attackers
are separate and distinct from those of regular
dition to significant time requirements, there
is also inherent difficulty in setting up a sys-
developed to address many of the
INTRODUCTION system users. Because malicious users are at-
Secure Shell, or SSH, is an encrypted remote tempting to utilize system resources in non-
tem that is attractive to attackers. Additionally,
such a system will likely invite damage by the
deficiencies of traditional,
connection mechanism common on most Li- traditional ways it may be possible to spot
nux and Unix operating systems. The SSH pro- this type of anomalous behavior. It may be im-
target attackers and will require a rebuild after
use. Furthermore, it is no simple task to con-
high interaction honeypots
tocol was defined by Ylonen and Lonvic in RFC possible to identify malicious users based on figure an effective monitoring system that will
4254 of the Internet Engineering Task Force1. usernames and passwords alone, for instance not alert an attacker to observation. configuration provides a rich environment for
SSH allows users to authenticate to remote in the case that an attacker has compromised, attackers to interact with and can serve to col-
machines and access an interactive command or guessed, a legitimate user’s credentials. In addition to logistical considerations, of sig- lect data about a wide variety of vulnerabilities,
line, or shell. Although SSH can be configured For this reason fingerprinting behavior im- nificant concern in deploying such a honeypot attack methods, and post compromise behav-
to use alternate ports, the well known port 22 mediately following a successful authentica- on the internet is the possibility for “down- ior. By providing an attacker with a realistic en-
is registered for SSH2. There are many meth- tion becomes important. Fingerprinting is the stream liability”6. If such a system were to be vironment you are most likely to collect useful
ods available for SSH authentication in most process of identifying trends or commonali- compromised by attacker, and then the at- intelligence. Honeypots of this style are known
implementations. The default method of au- ties amongst attacker behavior (consisting of tacker were to use the system as a pivot point as “high interaction honeypots” because they
thentications in many distributions, however, system commands issued) that might distin- or launching pad to attack other resources provide the widest array of response.
is based on username and password. guish it from legitimate user behavior. If it is there could be serious consequences. If the
possible to develop a signature of malicious honeypot were used to attack third party sys- High interaction honeypots have significant
One goal of collecting data about
behavior then that signature can be used to tems then the honeypot maintainer could be downsides. Careful consideration must be
identify compromise. This process would not culpable in facilitating a compromise. If the given to the configuration of egress rules for
brute force attacks is to fingerprint
prevent attacks, but would suffice to alert ad- honeypot were used to attack internal systems high interaction honeypots in order to mini-
ministrators of a compromise soon after it had then it could potentially bypass authorization mize the possibility of downstream liability.
post compromise behavior
taken place to minimize damage and contain rules that prohibited connections from out- Furthermore, encrypted protocols present
incidents. Such early identification is critical to side hosts. Using such a pivot point whereby problems when monitoring traffic to and
containing damage caused by intrusions and an attacker compromised the honeypot in from a high interaction honeypot. These rea-
Given the ability to access many SSH servers forms an additional layer of defense, support- order to attack other assets that might not be sons combined with the high deployment,
using simple usernames and passwords over ing the defense in depth principle. routable from the wider internet could create rebuild, and maintenance overhead make
a well understood protocol, it is unsurpris- significant problems. high interaction honeypots unattractive to
ing that brute force, or password guessing, HONEYPOTS many organizations.
attacks against SSH servers have become Honeypots were first popularized by the Furthermore, to be of any value, a honeypot
common. The SSH protocol is open and well Honeynet Project4 and Lance Spitzner’s must be analyzed after it is compromised. Low Interaction Honeypots
defined. Several developer libraries and API’s Know Your Enemy5. A honeypot is a vulner- This forensic work can often be extremely Low interaction honeypots were developed to
exist to implement SSH clients quickly and able, or deliberately insecurely configured time consuming and may or may not result address many of the deficiencies of traditional,
easily. Many automated attacker tools allow system that is connected to the internet and in valuable intelligence. Even though the ad- high interaction honeypots. Low interaction
users to easily perform point-and-click pass- carefully monitored. There are many motiva- vent of virtualization has significantly reduced honeypots consist of software systems that
6 HITB Magazine I june 2010
july 2010 july 2010 I HITB Magazine 7
information security information security
simulate specific aspects of complete systems. attacker would typically move onto a com- attacks from the same IP address was 135 China (118)
Because they are implemented in software, promised system. days wherein a single IP address participated
low interaction honeypots present significant in over 6 distinct attacks. Romania (111)
safety improvements over high interaction Considerations with Kojoney US (52)
honeypots. Low interaction honeypots can Because Kojoney is open source it is easily cus- Most popular time Korea (27)
strictly monitor and limit both inbound and tomizable11. However, the source code is also Examining the timing of attacks based on the
outbound traffic. Low interaction honeypots freely available to attackers. It is worthwhile, time of day on a 24 hour scale in Eastern Stan- Spain (25)
can restrict functionality and can more safely therefore, to spend some time customizing dard Time yields some interesting informa- Italy (17)
contain malicious attacker activity. the output of Kojoney in order to implement tion. Attacks seem to be fairly evenly spaced Germany (14)
any additional functionality desired as well as throughout the day but spike around noon
METHODOLOGY to evade detection attempts by attackers. and late at night. The hour between noon Brazil (14)
For the purposes of this study, Kojoney8, and 1 PM saw the most activity with 9,017 France (11)
written by Jose Antonio Coret, was used As with all software, Kojoney is not immune login attempts. Netherlands (11)
as a foundation. Kojoney is an open source from security vulnerabilities12. It is important
low interaction honeypot implemented in to follow security news outlets for notification The number of attacks over months seemed UK (11)
Python. Kojoney simulates a SSH server, lis- of any vulnerability discovered in Kojoney, or to vary somewhat as well, with sharp spikes Macedonia (7)
tening on port 22. Kojoney uses the popular its supporting packages, and keep your in- in the number of attacks in January 2010 and Canada (7)
OpenSSL9 and Python’s Twisted Conch10 li- stallation up to date. April 2010. The following table does not in-
braries to negotiate SSH handshakes and set clude data from October 2009 and May 2010 Russia (7)
Figure 4. Attacker IP by Country
up connections. Deficiencies because collection during those months was Taiwan (7)
Kojoney deliberately limits functionality. Al- limited to a few days. mania (a country with less than 2% of China’s India (6)
Kojoney utilizes a list of usernames and pass- though the installation utilized for this study population), was the source of roughly the
Figure 2. Distinct IP’s by Month
words that can be used to access the system. was heavily modified there was certain func- same number of attacks as China. The US was
Month and Year Number of Login Attempts Distinct IPs
This means that not all connection attempts tionality that was not simulated. The most November 2009 9,464 69 the third most common place of origin, but
will be successful. Once a connection has noticeable of these was the inability for an December 2009 11,114 76 had half the total number of distinct IP ad-
been established Kojoney presents attackers attacker to interact with packages that were January 2010 25,385 99 dresses of China and Romania. Together, Chi-
with what appears to be an interactive shell. downloaded. This meant that attackers could February 2010 18,439 81 na, Romania, and the US accounted for nearly
March 2010 11,515 88
Commands issued by attackers are inter- download toolkits but they could not actu- half of all the distinct IP addresses of origin
April 2010 22,477 137
preted by Kojoney and attackers are returned ally inflate compressed packages or execute for attacks.
responses based on definitions from within binaries. Kojoney responds with a vague er- Examining the popularity of certain days for
the Kojoney package. The only system func- ror message if it cannot simulate functional- attacks also provides some interesting in- It is important to note that the geographic lo-
tionality available to attackers is ‘wget’ or ‘curl’ ity. When attackers encounter this behavior it sight. Apparently Sunday and Wednesday are cation of IP assignments may not necessarily
for fetching remote files. However, even this is common for their session to end. Because the most popular days to launch SSH brute correspond with their physical address, nor
functionality is limited. Any material down- Kojoney does not simulate a full system once force attacks. Given the global nature of the does it necessarily correspond to the nation-
loaded by Kojoney at the direction of attack- an attacker attempts complex interaction, it internet and timezone differences, however, ality of the attacker. It is entirely possible that
ers is actually stored in a location specified by was common for attackers to terminate their this data may not provide any real value. attacks observed were carried out from com-
the Kojoney configuration. After download, sessions after encountering commands that Figure 3. Attacks by Weekday promised hosts controlled by a third party
the attacker is not able to interact with the do not produce desired results. Day of Week Number of Login Attempts located at a totally different internet or geo-
retrieved material. This allows for the capture Sunday 20,674 graphic location.
of malware, rootkits, or other material that an RESULTS Monday 11,211
Tuesday 9,248
For the purposes of this study a modified Most popular usernames
Wednesday 23,484
Kojoney low interaction SSH honeypot was Thursday 18,098 13,554 distinct usernames were attempted
Figure 1. Hours of Attack deployed on commodity hardware and con- Friday 14,141 over 109,121 login attemts. Usernames were
Hits nected to the live internet with a dedicated Saturday 12,265 interesting because there were many com-
10000
9000
IP address. Kojoney was configured to run on Countries mon system usernames (such as root) or
8000
the standard SSH port 22 with a separate in- IP addresses are assigned to internet service usernames associated with services, such as
7000
terface configured for management. The sys- providers in blocks that are then subdivided to oracle, postfix, backuppc, webmail, etc. Some
6000
tem was left on and running consistently over their customers. Using these assignments it is usernames such as jba120 could potentially
5000
a period of roughly six months from October possible to locate the country to which a spe- have been harvested from previously compro-
4000
27, 2009, to May 3, 2010. During this time cific address is assigned. Examining the data for mised systems or generated by brute force.
3000
109,121 login attempts were observed from country assignments of IP addresses which par- Some usernames, such as ‘aa’ , were most cer-
2000
596 distinct IP addresses. Of these distinct IP ticipated in attacks provides some stark details. tainly generated via brute force. Some user-
1000
addresses over 70 participated in brute force names such as ‘P4ssword’, ‘Access’ and ‘denied’
0 attacks separated by more than 24 hour time China contained the highest number of dis- may have resulted from misconfigured attack
time 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 intervals. The longest span of time between tinct IP addresses for attacks. However, Ro- utilities. ‘Root’ was by far and away the most
8 HITB Magazine I july 2010 july 2010 I HITB Magazine 9
information security information security
popular username, accounting for nearly half Figure 6. Common Passwords
passwd (89)
cd (52)
(45,403), of all attempts, compared with the
exit (5
Password Count
uptim
id (6 r/tmp
next most popular username, ‘test’, with 4,128 123456 2361
03)
ps (
cd/
attempts, then ‘admin’ and ‘oracle’ with over root 2111
4)
1)
e (10
w (3
va
test 2084 ps
117
1,000 followed by 62 other usernames with cat x (7
2)
password 1283 ls (538)
)
more than 100 login attempts. While many (15 6)
qwerty 855 1)
(70
of these were common system accounts or passw
d (79)
)
1234 839
common names (such as ‘mike’ or ‘michael’, 123 690
the 67th and 60th most common username 1q2w3e 615 uname (179) cat/proc/cpuinfo (94) ls -a (255)
respectively) there were some interesting 12345 546
)
e (102
changeme 460 cd (338)
stand outs. The username ‘prueba’ (Spanish oracle 421 [blank] (196) uptim
for proof ) was used 149 times (the 56th most abc123 376 8)
(11 ls (
64)
common name) from 19 different IP address- welcome 369 et 224
wg
[blank] (
)
a (1
es. Surprisingly these 19 IP addresses were admin 337 w (303) wget (308)
me -
spread across the globe and not necessarily 1a2b3c 315
redhat 314
una
all from Spanish speaking countries. Other
187)
master 309
interesting common usernames were ‘zabbix’ ad4teiubesc26051986 295
(an open source network monitoring utility) 111111 280
with 118 attempts, ‘amanda’ (a common Unix 1 270 Figure 4. Distinct Commands Figure 4. Commands with Arguments
backup service) with 143 attempts, ‘ts’ with p@ssw0rd 261
119 attempts and ‘toor’ with 301 attempts.
The 20 most popular passwords attempted Most common commands the contents of the virtual file ‘/proc/cpuinfo’
Figure 5. Top Logins included several common strings, as well as 181 distinct commands were recorded by the which contains processor identification infor-
Top 20 Usernames Login Attempts several based on keyboard layouts, such as honeypot out of 3,062 commands issued. The mation, also becomes quite apparent.
1. root 45,403
2. test 4,128 ‘1q2w3e’. honeypot captured entire lines of text en-
3. admin 1,396 tered by attackers. Many of these lines were Downloads
4. oracle 1,287 Although not represented in the most com- commands followed by arguments. A distinct 282 downloads were captured by the hon-
5. user 881 mon passwords, particularly interesting were command was defined as the first sequence eypot. Interestingly the wget command was
6. guest 872 passwords that seemed to have been gener- of characters followed by a space or a car- used 41 times to download Microsoft Win-
7. postgres 773
8. webmaster 540 ated using permutations of the hostname riage return. This allows us to examine the dows XP Service Pack 3. This behavior was
9. mysql 538 (See 100 Most Common Passwords). core commands (such as directory listing or perhaps an attempt to test the download
10. nagios 536 file content listing) independent of their tar- functionality of wget and to gauge the speed
11. tester 480 Average password length gets. The most common distinct command of the internet connection. Although time
12. ftp 456 Over 133 distinct passwords utilized in login was ‘ls’, issued 538 times. This was followed by did not permit a full analysis of each binary
13. backup 444
14. web 436 attempts were greater than 19 characters ‘cd’ with 338 execution attempts, then ‘wget’ downloaded the most popular download
15. administrator 384 long. Of the rest, the average length of pass- with 308 attempts, ‘w’ with 303 attempts, seemed to be PsyBNC13, an open source Inte-
16. info 359 words attempted was 6.78. ‘uname’ with 179 attempts, ‘cat’ with 151 at- net Relay Chat (IRC) bot program. Other pop-
17. ftpuser 343 tempts, ‘ps’ with 117 attempts and ‘uptime’ ular downloads included other IRC bots, UDP
18. sales 336 Password resets with 102 attempts. ping flooders (presumably for use in denial of
19. office 331
20. tomcat 323 Although not a native feature of Kojoney, our service attacks), port scanners, and SSH brute
installation included functionality to capture Examining the full commands issued by at- force tools.
Most popular passwords password reset attempts. In the sample pe- tackers (the full line of input submitted to the
The honeypot recorded 27843 distinct pass- riod attackers attempted to reset passwords honeypot) reveals a slightly different picture. Sessions
words utilized by attackers. Of the passwords 42 times. Examining these records reveals in- Commands such as ‘ls’ and ‘cd’ became less Sessions are defined as interactions where
used, the three most popular (‘123456’, ‘root’, teresting data. None of the password resets frequent as they are almost always used with the attacker not only attempted to gain ac-
and ‘test’) were used more than 2,000 times resulted in a password of more than 8 charac- a target, while commands such as ‘w’ which cess with usernames and passwords, but
a piece. The fourth most popular password, ters with mixed case alphabetic, numeric, and generally do not include any further switches
‘password’, was used 1,283 times while the
remaining passwords were used less than
special characters. 47% of the new passwords
were alphanumeric and over 80% of the new
or arguments, percolated to the top of the
list in terms of frequency. Looking at the list Looking at the list of commands it is
1,000 times each. Of the 80 most common
passwords 18 were numeric only, 39 were
passwords were longer than 8 characters (the
longest being 33 characters long and contain-
of commands it is worth noting that certain
common commands with specific arguments worth noting that certain common
lower case alphabetic only, and 21 contained
numbers and lowercase letters. Only three
ing a mix of letters and numbers). At one case
the new password created by the attacker,
were seen quite frequently. These include ‘un-
ame -a’, the ‘-a’ being an aggregate flag that commands with specific arguments
contained punctuation or special charac-
ters, utilizing the period (.) or at symbol (@).
“-www.WhiteTeam.net-” appeared to contain
a web site address.
behaves as though several other flags were
utilized. The use of the ‘cat’ command to echo were seen quite frequently
10 HITB Magazine I july 2010 july 2010 I HITB Magazine 11
information security information security
also executed commands on the honeypot. 150 times the ‘cat’ command was used, the root is the most common target is be confident that legitimate users is important to note that it is possible
Furthermore, sessions were delimited by full command issued was ‘cat /proc/cpuinfo’, likely attributable to the fact that only required access during certain some IP addresses to represent ag-
time delays of more than an hour between which is used to display processor informa- this account has the most power, time ranges. Great care would need gregation points, or rotating pools,
command execution. For instance, if an at- tion. This type of command is not typical for but also because it appears on most to be taken with such a remediation, for multiple users and not all traffic
tacker logged in, executed commands, then a normal system user. Unix systems. Choosing strong pass- however, to prevent a nightmare originating from the identified IP ad-
waited for more than an hour before execut- words seems like a safe strategy for scenario where a legitimate admin- dresses is necessarily malicious. •
ing additional commands then the interac- Although some common commands ob- protecting the system accounts, but istrator or user might be unable to
tion was counted as two sessions. A total of
248 attacker sessions were identified issuing
served in the Kojoney session captures could
potentially be attributed to normal users, oth-
even more effective would be to
prohibit interactive login over SSH
respond to a crisis occurring in off
hours due to login restrictions.
>>REFERENCES
a total of 3,062 commands. The average ses- ers clearly stand out. The ‘w’ command, which for the root account. By disabling 1. Y lonen, T., Lonvick, C., Internet
Engineering Task Force, RFC 4254, The
sion lasted for 4.1 minutes during which the is used to report on which users are logged SSH root login, nearly half of all Some of the greatest utility in de- Secure Shell (SSH) Connection Protocol,
attacker issued 12 commands. The longest into the system, and the ‘uptime’ command, brute force attacks observed would ploying a Kojoney based honeypot is http://www.ietf.org/rfc/rfc4254.txt
session lasted for an hour and 10 minutes. which reports how long the system has been have been thwarted. in its ability to detect attacks from IP (January, 2006)
on, are not regularly used by non-system ad- ranges within an organizations net- 2. I nternet Assigned Numbers Authority
(IANA), Port Numbers, http://www.iana.
By far the most common command in any ministrators. Similarly, the ‘uname’ command All attacker behavior was observed work. Based on the fact that some org/assignments/port-numbers
session was the ‘w’ command, occurring in is generally utilized to determine the kernel on the standard SSH port 22. Running attackers were observed attempting 3. W ikipedia, Port scanner, http://
74% of sessions. Wget was used in over 58% version that is running, which could perhaps SSH on an alternate port would al- to download SSH brute force tools it en.wikipedia.org/wiki/Port_scanner
of sessions as was uname. The uptime com- be used to search for vulnerabilities. most certainly cut down on the num- is likely that compromised SSH serv- 4. T he Honeynet Project, http://www.
honeynet.org
mand was issued in 35% of sessions. ber of attacks, although such a solu- ers are sometimes used as SSH brute 5. L . Spitzner, Know Your Enemy. Addison-
Figure 7. Commands in Sessions
Monitoring command execution on systems tion could confuse legitimate users force scanners. Detecting an internal Wesley, 2002.
Command Number of Sessions seems like a worthwhile exercise given the and result in increased support costs. attacker could provide extremely 6. D ownstream Liability for Attack Relay
results of this data. Replacing the ‘w’, ‘uptime’ Brute force detection and preven- valuable evidence in an incident de- and Amplification. http://www.cert.org/
w 184 archive/pdf/Downstream_Liability.pdf
ls 155 or even ‘wget’ command with a binary that tion countermeasures, such as SSH tection or response. 7. N . Provos and T. Holz, Virtual
wget 146 would log the execution of such a command Black15, OSSEC active response, or Honeypots. Addison-Wesley, 2008.
uname 144 before executing the intended target could the use of OpenSSH’s MaxAuthTries Examining malware or attacker 8. Coret, J., Kojoney low interaction SSH
cd 122 honeypot, http://kojoney.sourceforge.net
cat 105 provide some insight into the usage of such configuration specifications could all toolkits downloaded to the Ko-
9. T he OpenSSL Project, http://www.
uptime 86 utilities. Using a log file monitoring system be worthwhile. An even more effec- joney honeypot could also prove openssl.org/
ps 84 such as OSSEC, system administrators could tive solution would be to eliminate valuable. Although a wide variety 10. T wisted Matrix Labs Conch Project,
[blank] 76 easily keep watch over such commands to the use of username and password of packages was not observed, http://twistedmatrix.com/projects/
passwd 67 alert on suspicious behavior14. authentication altogether. Many SSH the character of the packages that conch
exit 47 11. Klein Keane, J., Using and Extending
id 44 servers provide functionality for key were downloaded is illustrative of Kojoney SSH Honeypot. http://www.
tar 33 Given the sophistication of the usernames authentication. There is additional the goals of attackers. Additionally, madirish.net/?article=242 (May 22, 2009)
mkdir 21 and passwords utilized by attackers a number administrative overhead in imple- developing hash fingerprints of at- 12. N icob, [Full-disclosure] Kojoney (SSH
pwd 18 of defensive strategies present themselves. It menting key based authentication, tacker tools or components could honeypot) remote DoS. Feb 24,
unset 16 2010. http://www.securityfocus.com/
is interesting to note the complexity of user- and it is not as portable, but it is cer- aid in the detection of these mate- bid/38395
reboot 13
chmod 13 names and passwords utilized by attackers. tainly more secure. rials on other systems, which could 13. p syBNC Homepage, http://www.
rm 12 Outside of system passwords, common user- be used to detect compromises. As psybnc.at/
names were not necessarily attempted with Examining the IP source of attacker with high interaction honeypots, 14. O SSEC Open Source Host-based
ftp 12
Intrusion Detection System, http://
ifconfig 12 common passwords. For instance, the data behavior shows that there are cer- forensic analysis of this malware is www.ossec.net
kill 11 shows no attempts to log in using the user- tain IP blocks, that if not used by time intensive and may not provide 15. sshblack script homepage, http://www.
perl 11
history 11 name ‘alice’, a relatively common name that legitimate system users, could cer- a very high return on investment. pettingers.org/code/sshblack.html
dir 10 would appear at the beginning of a diction- tainly be blocked to great effect.
Further Reading
ary list of names, with the password ‘pass- Locating and blocking specific IP The actual IP addresses captured Wolfgang, N., SSH Brute Force: Second
CONCLUSIONS word’. From this observation, as well as the ranges could dramatically cut down by the Kojoney honeypot are prob- Steps of an Attacker. http://www.cs.drexel.
Based on the data collected for this study fact that the top 20 usernames attempted on the amount of SSH brute force at- ably of the greatest value of all the edu/~nkw42/research/Wolfgang_
it is clear that attackers utilize many of the were system accounts, we can conclude that tacks, but again could create hassle collected data. Because the hon- SecondSteps.pdf (September 6, 2008)
same commands as legitimate system users, attackers probably do not focus their efforts for legitimate users and requires a eypot was deployed on an unused
such as ‘ls’ and ‘cat’. The context of these com- on breaking into user level accounts. certain degree of administration. and un-advertised IP address it is a
mands makes them distinct, however. Many justifiable conclusion that all traffic
of the ‘ls’ commands, which are typically used Given the breakdown of username choices There do not appear to be strong observed by the honeypot was de-
for directory listing, seemed innocuous, but in brute force attacks it seems that system trends in the times that attackers at- liberate and malicious. By identify-
the ‘cat’ commands were typically used for accounts are by far the most utilized. This tempt brute force attacks. Limiting ing these malicious IP addresses it
peering into the contents of system configu- is probably because system accounts are SSH server access to specific times is possible to scan server logs from
ration files such as those that contain CPU and standard and the attacker doesn’t have to could cut down on the number of at- other machines to detect malicious
memory information. In 94 of the more than ennumerate or guess them. The fact that tacks as long as administrators could activity on other assets. Although it
12 HITB Magazine I july 2010 july 2010 I HITB Magazine 13
information security
Username
root
test
Count
45403
4128
Username
mailtest
service
100 Most Common Logins
Count
266
263
Username
student
testing
Count
167
166
Username
alex
usuario
Count
90
90
HITB Jobs
it Security recruitment
admin 1396 fax 259 temp 161 linux 89
oracle 1287 squid 250 games 156 mythtv 89
user 881 public 242 cyrus 153 roor 88
guest 872 video 240 prueba 149 marketing 86
postgres 773 print 232 amanda 143 server 85
webmaster 540 http 226 teste 141 ftpguest 82
mysql 538 help 218 test1 134 support 81
nagios 536 sysadmin 216 michael 127 www-data 76
tester 480 webalizer 212 upload 120 netdump 70
ftp 456 sysadm 207 ts 119 paul 67
backup 444 html 202 apache 118 john 67
web 436 printer 202 zabbix 118 daemon 67
administrator 384 helpdesk 200 news 116 uucp 67
info 359 rootadmin 199 master 103 david 65
ftpuser 343 sale 199 mike 101 users 65
sales 336 nobody 198 rpm 100 adam 63
office 331 webmin 198 user1 99 gdm 63
tomcat 323 mailadmin 198 condor 99 informix 62
webadmin 313 mailftp 197 prueva 97 wwwrun 61
postfix 306 mailuser 196 sshd 96 spam 60
mail 305 www 194 TeamSpeak 96 adrian 60
toor 301 operator 187 test2 94 students 59
testuser 268 adm 168 123456 93 samba 57
100 Most Common Passwords
Password Count Password Count Password Count Password Count
123456 2361 abcd1234 218 rootroot 142 0000 103
root 2111 user 217 [subdomain.domain]* 142 54321 103
test 2084 passw0rd 215 guest 141 internet 102
password 1283 1qaz2wsx 209 12 140 sunos 102
qwerty 855 12345678 208 [servername.subdomain]* 140 secret 101
1234 839 654321 188 password123 139 123321 101
123 690 linux 179 webmaster 132 manager 100
1q2w3e 615 1q2w3e4r 177 mail 129 qwertyuiop 95
12345 546 pa55w0rd 176 root1234 129 root1 94
changeme 460 testing 175 apache 128 [servername.subdomain.domain]* 94
oracle 421 root123 173 asdfgh 127 user123 91 !"#$%#$&%"'()&*+"',-.%(/01*23&%'*#4)&%/5%6'5/)0*2/'%7&($'/-/,.%
abc123 376 1234567 172 r00t 126 server 90 8&(4)"#.% "'% #$&% 9/):;-*(&
information security
A Brief Overview on
satellite
hacking
By Anchises Moraes Guimarães de Paula, iDefense
july 2010 I HITB Magazine 17
information security information security
As a large portion of worldwide Internet users increasingly and telephone transmissions by using
the transponder, a radio that receives
Exhibit 1. Unidirectional Access with Terrestrial Return (also known as Satmodem)8
rely on satellite communication technologies to connect a conversation at one frequency and
then amplifies it and retransmits the
to the Web, a number of vulnerabilities within these signal back to Earth on another fre-
quency that a ground-based antenna
connections actively expose satellites to potential may receive. A satellite normally con-
tains 24 to 32 transponders, which are
attacks. The implications of such a successful attack are operating on different frequencies.4
massive, as satellites are the only means of broadcasting Modern communications satellites use
a variety of orbits including geosta-
communications in many regions around the globe and an tionary orbits,5 Molniya orbits,6 other
elliptical orbits and low Earth orbits
attacker could act from everywhere. (LEO).7 Communications satellites
are usually geosynchronous because
ground-based antennas, which op-
erators must direct toward a satellite,
B
can work effectively without the need
roadband Internet access via satel- services, such as Global Positioning Systems to track the satellite’s motion. This al-
lite is available almost worldwide. (GPSs), weather forecasts, TV transmissions lows technicians to aim satellite antennas at Internet, with outbound data traveling through
Satellite Internet services are the and mapping service applications based on an orbiting satellite and leave them in a fixed a telephone modem or a DSL connection, but it
only possible method of connect- real satellite images (such as Google Maps). position. Each satellite occupies a particular sends downloads via a satellite link at a speed
ing remote areas, the sea or countries where “Although anything that is in orbit around location in orbit and operates at a particular near that of broadband Internet access. Two-
traditional Internet cable connections are still Earth is technically a satellite, the term “satel- frequency assigned by the country’s regula- way satellite Internet service, also known as
not accessible. Satellite communications are lite” typically describes a useful object placed tor as the Federal Communications Commis- bidirectional access or “astro-modem,” involves
also widely adopted as backup connection in orbit purposely to perform some specific sion (FCC) in the U.S. The electromagnetic both sending and receiving data via satellite to
providers by several organizations and coun- mission or task.”2 There are several satellite spectrum usage is regulated in every coun- a hub facility, which has a direct connection to
tries for those times when the terrestrial com- types, defined by their orbits and functions: try, so that each government has its regula- the Internet (see Exhibit 2).
munications infrastructure is not available, scientific, Earth and space observation, re- tory agency which determines the purpose
damaged or overloaded. By the end of 2008, connaissance satellites (Earth observation or of each portion of radio frequency, according The required equipment to access satellite
an estimated 842,000 US consumers relied on communications satellites deployed for mili- to international agreements. communication includes a satellite dish, a
satellite broadband Internet access.1 tary or intelligence applications) and com- receiver for satellites signals, which is a low-
munications, which include TV, voice and The satellite provider supports Internet ac- noise block (LNB) converter, a decoder, a
Communications satellites routinely receive data connections. Most satellites are custom cess and Internet applications through the satellite modem and special personal-com-
and rebroadcast data, television, image and built to perform their intended functions. provider teleport location, which connects puter software. Usually, a single device or
some telephone transmissions without the to the public switched telephone network PCI card integrates the decoder and modem.
proper security measures, leading to frequent Organizations and consumers have used sat- (PSTN) and the Internet. There are three types Several software programs and online tools
fraud and attacks against satellite ser- ellite communication technology as a means of Internet via satellite access: one-way mul- are widely available.
vices. Traditional fraud techniques to connect to the Internet via broadband ticast, unidirectional with terrestrial return
and attack vectors include satel- data connections for a long time. Internet via and bidirectional access. One-way multicast Satellite Internet customers range from indi-
lite TV hacking and the use of satellite provides consumers with connec- transmits IP multicast-based data, both audio vidual home users to large business sites with
illicit decoding technology tion speeds comparable or superior to digi- and video; however, most Internet protocols several hundred users. The advantages of Satellites are an
to hack into television sat- tal subscriber line (DSL) and cable modems. will not work correctly because they require this technology include a greater bandwidth essential part of
ellite signals. In addition, Data communication uses a similar design a return channel. A single channel for data than other broadband technologies, nearly
satellite communications and protocol to satellite television, known download via a satellite link characterizes worldwide coverage, and additional sup-
our daily lives.
are easily susceptible as Digital Video Broadcasting (DVB), a suite unidirectional access with terrestrial return, port to television and radio services. Satellite Many global
to eavesdropping if not of open standards for digital television. DVB also known as “satmodem” or a “one-way ter- broadband service is available in areas that interactions
properly encrypted. standards are maintained by the DVB Project, restrial return” satellite Internet system, and terrestrially based wired technologies (e.g.,
an international industry consortium. Ser- this type of satellite access uses a data uplink cable and DSL) or wireless technologies can-
rely on satellite
Satellite Basics vices using DVB standards are available on channel with slower speed connection tech- not operate. The disadvantages, however, are communications
Satellites are an essential part every continent with more than 500 million nologies (see Exhibit 1). numerous: weather conditions (rain, storms or satellite-
of our daily lives. Many global DVB receivers deployed, including at least or solar influences) might affect satellite com-
interactions rely on satellite com- 100 million satellite receivers.3 Communica- Unidirectional access systems use traditional munications, satellites demand expensive
powered
munications or satellite-powered tions satellites relay data, television, images dial-up or broadband technology to access the hardware and have a complex setup (install- services.
18 HITB Magazine I july 2010 july 2010 I HITB Magazine 19information security information security
Exhibit 2. Bidirectional Satellite Communication9 sign and configuration flaws in public- radio programs based on a Linux operating To get an anonymous Internet connection
ly accessible satellite communication system, he was able to monitor Internet satel- via the satellite broadband network, Nve
networks and protocols, and they are lite transmission and to pipe its feed into his used this local Internet access connection
making impressive progress. laptop. From there, he could analyze packets as an uplink and the hacked satellite con-
using standard programs such as the popular nection as a downlink since he had the
In 2004, security researcher Warez- network protocol analyzer Wireshark. Accord- necessary means to capture all satellite
zman presented early studies on satel- ing to The Register, “Laurie has also developed traffic, including the IP response packets.
lite hacking at the Spanish conference software that analyzes hundreds of channels By figuring out the ISP satellite IP address
UNDERCON 0x08.15 In July 2006, Dan to pinpoint certain types of content, includ- range and using a satellite IP address not
Veeneman presented additional stud- ing traffic based on transmission control pro- in use, Nev established a TCP connection by
ies on satellite hacking at Defcon 04.16 tocol (TCP), user datagram protocol (UDP), sending packets with the spoofed satellite
Recently, various security researchers or simple mail transfer protocol (SMTP). The network’s IP address via his local Internet
are leading the innovation in this area, program offers a 3D interface that allows the connection (a dial-up or regular broadband
notably, Jim Geovedi, Raditya Iryandi user to quickly isolate e-mail transmissions, connection) and he received the response
and Anthony Zboralski from the con- Web surfing sessions or television feeds that by sniffing the packets via the satellite in-
sulting company Bellua Asia Pacific; have recently been set up.”20 terface (see Exhibit 3).
Leonardo Nve Egea from the Spanish
information security company S21SEC; In 2009, Leonardo Nve, a Spanish senior secu- Such attack is virtually untraceable, once the
and white-hat hacker Adam Laurie, di- rity researcher, presented his experiments on attacker can establish his or her connection
rector of security research and consul- satellite communications security at several from anywhere in the world, due to the fact
ing a satellite dish takes some knowledge to tancy at Aperture Labs Ltd. conferences around the world, including the that the satellite signal is the same for every-
configure the satellite’s polarization and ori- Argentinean Ekoparty21 and the t2´09 Informa- one within the satellite coverage area. That
entation), and the satellite providers charge In September 2006, Geovedi and Iryandi pre- tion Security Conference in Finland,22 as well is, if a user based in Berlin uses a satellite
relatively high monthly fees. Moreover, many sented a “Hacking a Bird in the Sky”17 talk as the 2010 edition of BlackHat DC, among company that provides coverage through-
types of applications, such as voice-over In- about hijacking very small aperture terminal others. His investigation is concentrated on out Europe, a malicious user could capture
ternet protocol (VoIP) and videoconferenc- (VSAT) connections at the 2006 Hack in the malicious attacks on satmodem communica- the downstream channel in Sicily or Paris.
ing, are not suitable for this type of connec- Box security conference (HITBSecConf2006) tions and how to get an anonymous connec- This technique leads to several new possible
tion due to the high latency. Typical satellite in Malaysia.18 They listed various hypotheti- tion via the satellite provider’s broadband attacks, such as domain name system (DNS) ... Data packets
telephone links have 550- 650 milliseconds of cal attacks against satellite communication network. Previously, satellite studies focused spoofing, TCP hijacking and attacking generic
round-trip delay up to the satellite and back systems, such as denial of service (DoS) condi- only on feeds interception and data capture, routing encapsulation (GRE) protocol.
transmitted most
down to Earth.10 tions (uplink or downlink jamming, overpower since researchers were focusing on passive of the sensitive
uplink) and orbital positioning attacks (raging vulnerabilities. Nve was able to run active at- Proven insecure, satellite communications communication
Research on Hacking Satellites transponder spoofing, direct commanding, tacks against the satellite clients and providers provide almost no protection against unau-
Typical attacks against satellite networks in- command replay, insertion after confirmation using easy-to-find tools such as a satellite dish, thorized eavesdropping since they broadcast
in plain text with
clude satellite television hacking (the use but prior to execution), and gave a presenta- an LNB, cables, support, a digital video broad- all communications to a large area without no encryption.
of illegal reprogrammed descrambler cards tion about how to get access to the data link cast (DVB) system PCI card, a Satfinder
from legitimate satellite equipment to allow layer. Later, at the 2008 edition of the Hack In tool and a Linux box with the necessary Exhibit 3. Getting Anonymous Internet Access via Satellite Network
unlimited TV service without a subscription)11 The Box Security Conference, Geovedi, Iryandi free software, such as Linuxtv, kernel
and hacking into satellite networks to trans- and Zboralski gave a presentation about how drivers for DVB PCI cards, Linuxtv ap-
mit unauthorized material, such as political to compromise the satellite communication’s plication tools and DVBsnoop (a DVB
propaganda.12 In March 2009, Brazilian Fed- network layer and how to run a practical “sat- protocol analyzer console available at
eral Police arrested a local group that was us- ellite piggyjacking” attack, which exploits the http://dvbsnoop.sourceforge.net), and
ing U.S. Navy satellites for unauthorized com- satellite trust relationship on a VSAT network the Wireshark tool for data capture.23
munication.13 According to WIRED, “to use by finding a “free” (unused) frequency range
the satellite, pirates typically take an ordinary inside a user-allocated frequency to transmit Nve based his attack research on find-
ham radio transmitter, which operates in the and receive data. ing open Internet satellite connec-
144- to 148-MHZ range, and add a frequency tions by running blind scans on avail-
Radio enthusiasts doubler cobbled from coils and a varactor di- At the February 2009 Black Hat DC confer- able satellite channels and hacking
ode.” Radio enthusiasts can buy all the hard- ence, Adam Laurie presented how to hack into DVB protocol. During his tests, he
can buy all the ware near any truck stop for less than USD into satellite transmissions using off-the-shelf was able to capture 7,967 data pack-
hardware near $500, while ads on specialized websites offer components that Laurie assembled himself by ets from typical Internet traffic in just
any truck stop to perform the conversion for less than USD spending just $785 US. Laurie claimed that he 10 seconds. According to his reports,
$100.14 To help the industry fight such inci- has been doing satellite feed hunting19 since data packets transmitted most of the
for less than dents, information security researchers have the late 1990s. By using a modified Dream- sensitive communication in plain text
USD $500. been investigating the inherent security, de- box, a German receiver for digital TV and with no encryption.24
20 HITB Magazine I july 2010 july 2010 I HITB Magazine 21Advertisement
High Security Lab: http://lhs.loria.fr
information security
proper confidentiality controls. Various pas-
sive and active threats against insecure In-
ternet satellite communications include sniff-
>>REFERENCES
1. “State of the Satellite Industry Report.” June 2009. Satellite Industry Association.
http://www.sia.org/news_events/2009_State_of_Satellite_Industry_Report.pdf.
Malware 2010
ing, DoS attacks and establishing anonymous
2. Brown, Gary. “How Satellites Work.” HowStuffWorks. http://science.howstuffworks.
connections. Hacking into satellite receivers
com/satellite1.htm. Accessed on Nov. 5, 2009.
is much easier now than it was in the past, 3. “Introduction to the DVB Project.” Mar. 23, 2010. DVB. http://www.dvb.org/
thanks to the widespread availability of Linux technology/fact_sheets/DVB-Project_Factsheet.pdf.
tools and several online tutorials. 4. “Satellite Technology.” Nov. 5, 2009. Satellite Broadcasting & Communications
Association (SBCA). http://www.sbca.com/receiver-network/satellite-receiver.htm.
5. Geostationary orbits (also called geosynchronous or synchronous orbits) are
Conclusion orbits in which a satellite always positions itself over the same spot on Earth.
Governmental, Military organizations and Many geostationary satellites (also known as Geostationary Earth Orbits, or GEOs)
most of the companies included within the orbit above a band along the equator, with an altitude of about 22,223 miles.
(Brown, Gary. “How Satellites Work.” HowStuffWorks. http://science.howstuffworks.
critical infrastructure sector such as transport,
com/satellite5.htm. Accessed on Nov. 5, 2009.)
oil and energy, are using satellite communi- 6. The Molniya orbit is highly eccentric — the satellite moves in an extreme ellipse with
cations for transmitting sensitive information the Earth close to one edge. Because the planet’s gravity accelerates it, the satellite
across their widespread operations. This in- moves very quickly when it is close to the Earth. As it moves away, its speed slows,
so it spends more time at the top of its orbit farthest from the Earth. (Holli Riebeek.
cludes the use of satellite communication at
“Catalog of Earth Satellite Orbits / Three Classes of Orbit.” Nov. 5, 2009. NASA Earth
industrial plants operating supervisory control Observatory. http://earthobservatory.nasa.gov/Features/OrbitsCatalog/page2.php.)
and data acquisition (SCADA) systems. The rel- 7. A satellite in low Earth orbit (LEO) circles the earth 100 to 300 miles above the
evance of satellite communication protection Earth’s surface..(“What Is a Satellite?” Satellite Industry Association. Nov. 5,
2009. Boeing. http://www.sia.org/industry_
and the consequences of a security incident
overview/sat101.pdf.)
should enforce these organizations to deploy 8. Warezzman. “DVB: Satellite Hacking For
additional security measures to their internal Dummies.” 2004. Undercon. http://www.
communication technologies. Companies and undercon.org/archivo/0x08/UC0x08-DVB-
Satellite_Hacking.pdf.
organizations that use or provide satellite data
9. Based on “DVB: Satellite Hacking for
connections must be aware of how insecure Dummies” by Warezzman source: http://
satellite connections are and aware of the pos- www.undercon.org/archivo/0x08/UC0x08-DVB-Satellite_
sible threats in this environment. Companies Hacking.pdf.
10. B rown, Gary. “How Satellites Work.” HowStuffWorks.
and users must implement secure protocols to
provide data protection, such as virtual private
http://science.howstuffworks.com/satellite7.htm.
Nov. 5, 2009.
5th IEEE International Conference
network (VPN) and secure sockets layer (SSL), 11. Berry, Walter. “Arrests Made in TV Satellite on Malicious and Unwanted Software
since most traffic transmits unencrypted and Hacking.” Jan. 25, 2009. abc News. http://abcnews.
is widely available in a large geographic area go.com/Technology/story?id=99047. Nancy, France, Oct. 20-21, 2010
12. Morrill, Dan. “Hack a Satellite while it is in orbit.” April 13, 2007. Toolbox for IT. http://
under the satellite’s coverage. it.toolbox.com/blogs/managing-infosec/hack-a-satellite-while-it-is-in-orbit-15690. http://malware10.loria.fr
13. “PF descobre equipamento capaz de fazer ‘gato’ em satélite dos EUA” (“PF discovered
About the Author equipment to hook into U.S. satellite”). March 19, 2009. Jornal da Globo. (Global
Journal). http://g1.globo.com/Noticias/Tecnologia/0,,MUL1049142-6174,00-PF+DESCO
Anchises M. G. de Paula, CISSP, is an Interna-
BRE+EQUIPAMENTO+CAPAZ+DE+FAZER+GATO+EM+SATELITE+DOS+EUA.html.
Important dates Program Committee
tional Cyber Intelligence Analyst at iDefense, 14. Soares, Marcelo. “The Great Brazilian Sat-Hack Crackdown.” Apr. 20, 2009. WIRED. Submission: June 30th, 2010 Anthony Arrott, Trend Micro
a VeriSign company. He has more than 15 http://www.wired.com/politics/security/news/2009/04/fleetcom.
Notification: August 27th, 2010 Pierre-Marc Bureau, ESET
years of strong experience in Computer Secu- 15. Undercon home page. http://www.undercon.org/archivo.php?ucon=8. Accessed
on Nov. 5, 2009. Final version: September 10th, 2010 Mila Dalla Preda, Verona University
rity, and previously worked as Security Officer
in Brazilian telecom companies before be-
16. DEF CON IV home page. http://www.defcon.org/html/defcon-4/defcon-4.html. Saumya Debray, Arizona University
Accessed on Nov. 5, 2009.
coming Security Consultant for local infosec 17. Note: “Bird” is a term for satellite. Thomas Engel, University of Luxembourg
General Program Chair
resellers and consulting companies. Anchises 18. HITBSecConf2006 home page. http://conference.hitb.org/hitbsecconf2006kl. José M. Fernandez, Ecole Polytechnique de
holds a Computer Science Bachelor degree Accessed on Nov. 5, 2009. Fernando C. Colon Osorio, WSSRL and
19. N ote: “Feed Hunting” means looking for satellite feeds that no one is supposed to find. Montréal
from Universidade de Sao Paulo (USP) and a Brandeis University
20. Goodin, Dan. “Satellite-hacking boffin sees the unseeable.” Feb. 17, 2009. The Dr. Olivier Festor, INRIA
master degree in Marketing from ESPM. He Register. http://www.theregister.co.uk/2009/02/17/satellite_tv_hacking. Chairs of Malware 2010
Prof. Brent Kang, North Carolina University
has also obtained various professional cer- 21. Ekoparty Security Conference home page. http://www.ekoparty.com.ar. Jean-Yves Marion, Nancy University
tificates including CISSP, GIAC (Cutting Edge Accessed on Nov. 5, 2009. Prof. Felix Leder, Bonn University
22. t2´09 Information Security Conference home page. http://www.t2.fi/conference. Noam Rathaus, Beyond Security
Hacking Techniques) and ITIL Foundations. Bo Olsen, Kaspersky
Accessed on Nov. 5, 2009. Cliff Zhou, University Central Florida
As an active member of Brazilian infosec com- 23. Nve, Leonardo. “Playing in a Satellite environment 1.2.”). Black Hat. http:// Dr. Jose Nazario, Arbor networks
munity, he was the President of ISSA Chapter blackhat.com/presentations/bh-dc-10/Nve_Leonardo/BlackHat-DC-2010-Nve- Publicity Co-Chairs
Dr. Phil Porras, SRI International
Brazil in 2009 and one of the founding mem- Playing-with-SAT-1.2-wp.pdf. Accessed on May 28, 2010. Jose Morales, University of Texas
24. Nve, Leonardo. “Satélite: La señal del cielo que estabas esperando (II)” (“Satellite: Fred Raynal, Sogeti
bers of Brazilian Hackerspace and Brazilian The sign from sky that you were waiting for (II)”). Jan. 16, 2009. S21sec. http:// Daniel Reynaud, Nancy-University
Andrew Walenstein, Lafayette University
Cloud Security Alliance chapter. • blog.s21sec.com/2009/01/satlite-la-seal-del-cielo-que-estabas_16.html. Local Chair
Jeff Williams, Microsoft
Matthieu Kaczmarek, INRIA
Yang Xiang, Deakin University
22 HITB Magazine I july 2010You can also read
