Friday, February 29, 2008

Phish Me

Last night's NOVASec meeting was an interesting affair. After the presentation by Stratum Security, there was a lively discussion about targeted attacks and how unprepared many organizations are in facing this threat. Intrepidus Group founder Aaron Higbee introduced me to his phishme.com site. Looking over the service, it delivers an essential user training and social engineering testing function by allowing the penetration tester to develop custom targeted emails against a client. It tracks the deliveries, who opens the emails and who clicks the baited links inside, generating a graphical report for delivery to management. This is a great way to gauge the effectiveness of user awareness training programs and identify susceptible users that need retraining. Great product, Intrepidus!

Saturday, February 23, 2008

Idea for End-point Javascript Obfuscation Blocking

I was fortunate enough to attend a presentation by Daniel Peck, of CaffieneMonkey fame, on the characteristics of the javascript obfuscation attack. What struck me the most about the presentation were the graphs Mr. Peck included comparing the object characteristics of malicious scripts. While most scripts have a high number of interfacing calls (doc.write, writeln, print, alert, etc) with rather short 'string' content in their tags to direct the content loading, malicious scripts have relatively few interfacing objects with HUGE strings objects (upwards of 80-90% of the script). Over the graphs of scanned sites he showed, it seems clear this is consistent across malicious v non-malicious sites. If this statistical analysis could be integrated into a plug-in, it would make for a rudimentary, yet effective barrier to obfuscated iframes and droppers. The plug-in would have to prevent script execution based on a user-defined ratio or percentage of calls/string content.

With a skeleton plug-in and the statistical analysis code in CaffieneMonkey open source, integration of the two should be possible.