- 1 Paul's Security Weekly #528
- 2 Tech Segment: Kyle Wilhoit, DomainTools - 6:00-6:30PM
- 3 DerbyCon 2017 Preview - 6:30-7:00PM
- 4 Security News - 7:00-8:00PM
Paul's Security Weekly #528
Recorded August 31, 2017 at G-Unit Studios in Rhode Island!
Tech Segment: Kyle Wilhoit, DomainTools - 6:00-6:30PM
Kyle Wilhoit is a Sr. Security Researcher (or Purveyor of offensive security) at DomainTools. Kyle focuses on research DNS- related exploits, investigate current cyber threats, and exploration of attack origins and threat actors. More importantly, he causes pain to cyber criminals and state sponsored entities worldwide. Prior to joining DomainTools, he worked at Trend Micro as a Sr. Threat Researcher with a focus on original threat, malware, vulnerability discovery/analysis and criminal activity on the Internet. Previous to his work at Trend Micro, and he was at Fireeye hunting badness and puttin' the bruising on cyber criminals and state sponsored entities as a Threat Intel guy. Kyle is a co-author on the recently released book Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions. Kyle is also involved with several open source projects and actively enjoys reverse engineering things that shouldn't be.
Discuss the concept and merit of pivoting off domain information
- Why pivot off domain names/URLs?
- Pivot off registrant information
- Pivot off Nameservers, Google Analytics IDs, Alexa codes, etc.
Case Study #1
- Use www[.]caihongtangddos[.]cn as first pivot point within DomainTools Iris (This was a published DDoS platform from Cisco Talos from Aug 15th)
- Pivot off contact name (梁甲福)
- Pivot off email@example.com
- Show additional DDOS infrastructure
Case Study #2
- This case study is related to the ransomware Teslacrypt.
- First, start ApateDNS on analysis machine
- Execute sample and watch communications to free-stuff-here.netne.net
- Pivot on free-stuff-here.netne.net in DomainTools Iris (off of Contact Name Kyriakos Kyriako)
- Generate CSV file
- Mention blocking or monitoring the other domains that show up proactively, as they are likely related infrastructure.
- Take comli.com and pivot in Virustotal Intelligence looking for additional samples
- Talk about proactively blocking hashes/comli.com, etc.
DerbyCon 2017 Preview - 6:30-7:00PM
Security News - 7:00-8:00PM
- Fun with Boarding Passes
- The fappening 3.1? - Selena Gomez' Instagram hacked to add nude photos of Justin Bieber, possibly due to the Instagram API issue?
- SAP POS systems hackable with a Raspi
- The FCC can now host your malware and meme gifs...
- No Evidence of Hacking in McCain, Fitzgerald Collisions
- Not trying to promote, but it’s a tool that I can talk about ☺
- Justin Bieber's nude photos leaked after Selena Gomez social media hacking
- FDA Recalls 465,000 Pacemakers Due To Hacking Fears
- Microsoft persuades customers to upgrade to Windows 10, citing increasing security threats