Advanced Security Analytics

Screenshot 2016-04-30 23.45.50I recently attended the Business for Breakfast seminar, held in Geneva , co-hosting by Kudeslki Security and RSA   around the theme Advanced Security Analytics. In this blog post I’m going to summarize the two talks that I particularly enjoyed, as the atmosphere lent itself : Business for breakfast!

First of all , I want to describe the context to better understand  interest of both companies to host this conference:  March 2, 2016 – RSA, The Security Division of EMC and Kudelski Security, the cybersecurity division of the Kudelski Group announced that Kudelski Security is now a leading provider of RSA products and services. Through the agreement, RSA provides Kudelski Security    fully managed security and critical incident response services, leveraging RSA’s advanced, intelligence-driven Security Operations Center (SOC) capabilities to accelerate the detection, investigation, remediation, and management of security incidents and vulnerabilities, with the ability to build services around proven advanced security operations solutions including RSA Security Analytics, the RSA® Critical Incident Response Solution, RSA® Security Operations Management solution, RSA ECAT software, and RSA® Advanced Cyber Defense Practice.

To return to the seminar , the first presentation was by Robert Griffin , Chief Security Architect at RSA.He explains how to move forward using advanced security operations like intelligence driven security and how organizations can use it , include big data analysis to embrace opportunity , improve security and reduce the risk.  Mr Griffin argued that RSA is about delivering a trust World by applying RSA’s Intelligence driven Strategy.The following slides helps to understand How and Why RSA came to this Strategy.

  • Evolving IT Infrastructure : we can’t keep applying traditionnal security defense with the third platform IT infrastructure .Screenshot 2016-04-30 22.47.35
  • The changing Threat Landscape :   The new threats more and more strong challenge traditional security defense or technologies.                             Screenshot 2016-04-30 22.44.49
  • Intrusion Kill the chain : This model is a novel way to deal with intrusions by moving from the traditional reactive way to a more proactive system based on intelligence gathered trough indicators that are observed trough out the phases. Normally the incident response process starts after the exploit phase putting defenders in a disadvantage position. With this method defenders should be able to move their actions and analysis up to the kill chain and interfere with the attackers actions


  • Solution: Intelligence Driven Security , the challenge here is to manage the risk by monitor this cycle,  Visibility , Analytics and Action. Continuous monitoring , correlate risk signals and indicators.Screenshot 2016-04-30 23.00.36
  • Benefit of this Solution : With real-time intelligence , organization can dynamically manage cyber threats.Screenshot 2016-04-30 23.03.16

The second part of seminar was presented by Olivier Spielmann , Head of Cyber Fusion Center of  Kudelski Security. He demonstrated how Kudelski Security leveraged RSA analytics to build an advanced SOC and a multi-tenant security monitoring service.

src: KudelskiSecurity , RSA, 

KeRanger: First Ransomware to infect Mac Computers

Screenshot 2016-03-07 22.40.05

If you are a Mac user like me, loving to download torrents via the transmission software then you will receive this warning  message at the opening of Transmission !

KeRanger ?

KeRanger is a ransomware  that aims to encrypt the hard drive of the users and then ask them for money to decrypt it. If they do not pay, their data will be lost.

KeRanger has emerged with the application Transmission, the most popular client for download torrents on Mac. Version 2.90 has been infected with ransomware, some users have been affected without knowing .

Users likely to be victims of KeRanger are those who downloaded the version 2.90 of the Transmission software on the 4th or 5th of March.

Three days after infection, this is where KeRanger strike and demand a ransom from the user by encrypting the files from his computer to bar him access.

Once installed, KeRanger will search for approximately 300 different file types and encrypt any it finds. The malware will then display a ransom message, demanding that the victim pay 1 Bitcoin (approximately US$408). Payment is made using a website on the anonymous Tor network .

Apple announced to  be aware of ransomware and has already revoked the certificate from a legitimate developer who has allowed  installation of KeRanger on Mac.

How to Know your are infected ?

Open a Terminal or use the Finder to search /Applications/ or /Volumes/Transmission/ files. If present, the transmission application is infected and it is highly advisable to remove.

Screenshot 2016-03-07 22.45.06

Screenshot 2016-03-07 22.47.46

These are  the screenshots of my own Transmission . Since I used  Transmission 2.84 release , I’ m not infected,  For infected computers the file General.rtf must be present between these blue lines ! 

Are you infected ? Sure to download the 2.92 version that will remove the malware!

Screenshot 2016-03-07 22.41.27


Question 37 : What is DNS Hijacking and How it works ?

I have a question ...

DNS hijacking is a process in which an individual redirects queries to a domain name server (DNS). It may be accomplished through the use of malicious software or unauthorized modification of a server. Once the individual has control of the DNS, they can direct others who access it to a web page that looks the same, but contains extra content such as advertisements. They may also direct users to pages containing malware or a third-party search engine.

ISP hijacking

DNS hijacking is also done by some Internet service providers, such as Comcast, so that they can link users to their own search pages when they visit a web page that no longer exists. Many claim this is to improve the users experience; however, this can also be another great source of extra revenue since they control the site and get paid off any advertisement clicks. Currently, there are no laws against an ISP doing this to its users.

How DNS Hijacking Works?

As mentioned before, DNS is the one that is responsible for mapping the user friendly domain names to their corresponding IP addresses. This DNS server is owned and maintained by your Internet service provider (ISP) and many other private business organizations. By default, your computer is configured to use the DNS server from the ISP. In some cases, your computer may even be using the DNS services of other reputed organizations such as Google. In this case, you are said to be safe and everything seems to work normally.

DNS Hijacking

But, imagine a situation where a hacker or a malware program gains unauthorized access to your computer and changes the DNS settings, so that your computer now uses one of the rogue DNS servers that is owned and maintained by the hacker. When this happens, the rogue DNS server may translate domain names of desirable websites (such as banks, search engines, social networking sites etc.) to IP addresses of malicious websites. As a result, when you type the URL of a website in the address bar, you may be taken to a fake website instead of the one you are intending for. Sometimes, this can put you in deep trouble!

Src: gohacking, Computer Hope 

Deep Web : Virtual to reality (Ross Ulbricht)


Ross Ulbricht, the founder of the Silk Road online site selling drugs was sentenced this Friday, May 29 to life imprisonment by a court in New York. He was known on Silk Road under the pseudonym “Dread Pirate Roberts” or “DPR” .According to FBI information, Ulbricht had moved to San Francisco. Graduated with a Masters degree in Materials Science at the University of Pennsylvania, the young man controlled the servers and infrastructure of the site, he managed a reduced  “customer service” , and ran a small team of administrators.

Silk Road …

“Great quality for heroin smashes”. This is the type of ad you could find on Silk Road. Specifically, Silk Road also called “drug’s ebay” was based on a great principle of anonymity. The site, hidden in the deep web was limited to users in the digital decentralized network that guarantees complete anonymity. Launched in 2011, Silk Road thus allowing its users to sell or buy any product, including drugs. Credit cards and Paypal accounts were obviously prohibited, to ensure user identities’s safety. To pay for purchases, users actually using the virtual currency “bitcoin” which guarantees confidentiality: transactions were anonymous , and the seller did not know the buyer. The only information revealed was the delivery address.

According to the FBI, between February 2011 and July 2013, the  website helped nearly 1.2 million transactions for a total of almost 9.5 million bitcoins,that is  according to calculations by the US authorities close to  1.2 billion. Silk Road levied a commission on each payment, assessed over the same period to 600,000 bitcoins, or 80 million. A sum that allowed to finance the operation of the website and the small team that managed it.

FBI Investigations  …

In July 2013, the FBI was able to identify a server located abroad, which hosted Silk Road. Through cooperation with local authorities, US investigators were able to get a clear picture of the server, and access private messages exchanged on the site. Then able to identify the creators of Silk Road, the FBI and other US security agencies have sought the first traces of online promotion of the site, including forums. It is through this,  that investigators found two messages of a certain “altoid” which allowed them then by cross-checking, finding traces of a blog on WordPress, linked to a Gmail address. This was one of William Ross Ulbricht, the website’s founder.

Bad Configuration – TOR‘s Mechanism…

To identify and locate Silk Road, FBI simply exploited a flaw in the configuration of the home page of Silk Road’s site. By connecting as a simple client, then analyzing traffic between FBI and  Silk Road’s  computers , Tarbell officer (FBI agent) noticed that one IP address sent by the server to validate the connection did not match any identified TOR relay. He then checked the location of the server with the IP address “ordinary” – a very simple operation – and discovered that it led to a commercial hoster installed in Iceland.

To prove the truth of his explanation, almost too simple, the Tarbell agent does not hesitate to refer to the user guide published by the designers of TOR. It explains that to “TOR-ify” an application (eg a retail site), follow a very strict procedure, otherwise the real IP address of the server would be visible, and the passage of data by the digital relays not conceal anything.

Subsequently, after entering the Ross Ulbricht’s private messages , the FBI discovered that he was aware of this flaw in his system. But apparently he had read the manual carefully as less Tarbell agent and had failed to correct it properly …

Once identified IP address, the US sent a request for legal assistance to the Icelandic authorities. Investigators of the Reykjavik police first noted that the target server was managing large volumes of traffic encrypted by TOR. Then she recovered the history of its connections and its entire contents, and transmitted at the FBI. The result was unequivocal: the IP address collected by the FBI was that of a server used by Silk Road to link buyers and drug dealers.

The use of TOR and Bitcoins guaranteed to silk road, a double sophisticated security system in deep web , however he has been unmasked because of a security flaws !

Deep Web the movie …

“Deep web” is the title of 90′ film documentary devoted to Ross Ulbricht and Silk Road. It’s broadcast on US TV Epix this May 31.


Deep Web gives the inside story of one of the the most important and riveting digital crime sagas of the century — the arrest of Ross William Ulbricht, the convicted 30-year-old entrepreneur accused to be ‘Dread Pirate Roberts,’ creator and operator of online black market Silk Road. The film explores how the brightest minds and thought leaders behind the Deep Web are now caught in the crosshairs of the battle for control of a future inextricably linked to technology, with our digital rights hanging in the balance.

 Deep Web features the core architects of the Deep Web; anarchistic cryptographers who developed the Deep Web’s tools for the military in the early 1990s; the dissident journalists and whistleblowers who immediately sought refuge in this seemingly secure environment; and the figures behind the rise of Silk Road, which combined the security of the Deep Web with the anonymity of cryptocurrency.

Deep Web

What is tdeep-web-linkshe Deep web ?

The deep web or hidden web is the part of the Web accessible online, but not indexed by traditional search engines like Google, Yahoo or bing.. and not accessible using standard browsers like Google Chrome, Mozilla Firefox…The Deep web can be reached with TOR.

TOR ( The Onion On Router) is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

with such protection we quickly understand why this obscure part of the internet also called darknet is full of the drug traffic related sites, pedophilia, stolen credit card … and many other illegal things.

The Deep Web can be divided into levels:

First Level: Surface Web

Is the Internet, the usual web, what we surf in our day to day life. The websites that can be accessed directly or are listed by a search engine like Google, Yahoo, Bing, etc. and don’t require any proxy service to connect.

Second  Level: Bergie Web 

Is the Internet that is not indexed by search-engines, directly accessible and no proxy required. In this level, you can find “underground” sites but still indexed as 4chan, Freehive, 1eden, Black Hat World … or FTP servers and also the  blocked Google search results … This level is the last freely accessible level, all levels that follow  can be accessed with a proxy / VPN, Tor or by  modifying your hardware.

Third Level: Deep Web 

The third level onwards Deep Web starts, no search-engines are able to index these sites and they need some sort of proxy network like Tor, I2P, freenet or JonDo to become accessible. Although this is the Deep Web, most content on level 3 is publicly accessible (with proxy) without any sort of restrictions.

Fourth Level: Charter Web 

This level is also divided into two parts,

The first can be accessed through the Tor network, it contains such things as drugs and human trafficking, banned films and books, black markets … Includes the Hidden Wiki (usually the first website you will access when trying to get into the deep web), which is like the deep web website that contains the link for MANY other charter web websites.

Websites become more restrictive and begin using stronger security measures like registration & login, invite only memberships, open only for a specific time and/or dates, restricted to certain IP addresses, or a combination of the above, etc. Unlike most websites, they are not interested in maximizing traffic hits and keep a very low profile even in the Deep Web

The second part is accessed by a hardware modification: a “CSS” “Shell closed system” and contains over 80% of the web, not in volume but in concentration of information, this part of the web charter contains unconditional PC, information on the experimental material (“Gadolinium Gallium Garnet Electronic Quantum Processors” …), and also dark information, such as the “Law 13”, the experiences of World War II, and even the location of Atlantis .

These comprise of a single computer or a network of systems that are not connected to any external network at all. They can only be accessed from within the network. It is not possible to connect to these systems unless the attacker can physically access these systems. Many companies have sensitive internal networks that are behind a firewall (green zone), that is a different scenario and is still considered insecure in this context. The CSS networks have no physical (wired or wireless) connections to any other network. What these types of networks contain is left to the reader’s imagination.

Fifth Level: Marianas’ Web

About this level , I read many thing about it : (From level 5 to 8 )

For some :We dont have to go there! is a Mystery, it is only imaginative and are extremely difficult (if not impossible) to verify. For others : It’s just quantum computing, accessible by governments and that is why we can not enter this part of the web. For you : leave a comment to share !

More detail with this graph…


Cisco Next-Generation Firewall (NGFW)

In our Technomaxresdefaultlogies Category I would like to talk about  Cisco Next Generation Firewalls.

Last year , Cisco gained strength in next-generation firewalls via Sourcefire code.The official acquisition of Sourcefire by Cisco on October 2013, has allowed him to build a firewall unique its kind.

With this acquisition, Cisco has been able to expand its range and skills in security area.  This approach is a vision of security that is to intervene before the attack, during the attack and After attack.

Cisco – SourceFire …

Cisco is historically known for his expertise on before the attack, this is the security access where Cisco  excelled for many years, while SourceFire is rather an expert after the attack, Forensic, the detection of intrusion, the management of security events. So the fusions of two companies in terms of skills and technology solutions provide completeness that can provide new solutions related to the attacks.

Historically …
There’s 10 years iASA 5500-2t was used firewalls that were intended to  open  and control ports because of attacks of the protocols types. But hackers have moved quickly their interest to take part of application vulnerabilities to launch attacks, so we started talking about Application Firewall , Next-Generation Firewall.Today almost all the attacks are carried through illegal and authorized applications. So we must be interested in the threat, to attack itself to be able to make good decisions; just the application control is not enough.

Example …

If weimages (2) imagine an attack whose goal is to exfiltration of data, then the first phase of the attack is to send a phishing email to a user to control his machine.Typically this will pass through an authorized port and an authorized application:email application.

So far there was no Exploit on the mall itself, it’s just the content that contains the threat ; we will have much interest to know the threat in order to make a decision.
As this attack aims to exfiltration information, so hackers will make sure to pass through authorized flows, in order to get out of the network and outputs the data (it will be https, ssh).
Once again as are authorized flows, we will have fewer means to make the right decision based on the application only : It will take several correlate security events that match informations managing the threat. Hence the Firewall Next-Gen with IPS next-Gen.

What is this Firewall ? …

It encompasses several areas, the basic of connection and routing is Cisco ASA technology, which is known for its advanced-threat-security-cyber-security-for-the-real-world-15-638robustness and performance, and is now the most deployed firewall in the world. The part of application control and IPS Next-Gen intelligence are the legacy of SourceFire.

All customers who have an ASA X in their network have the ability to implement the full functionality of next generation firewall by upgrading, the aim is to bring more functionality on what already works.

Am I infected ?

Cyberthreats Realtime Map is a  visual tool allows users to see what is going on in cybersecurity around the world in real time.

This wonderful tool is built by Kaspersky Network Security Lab . That prove that  malicious hackers are constantly attacking networks, companies and even individuals.

Real-time cyberthreat map exposes  global threat in real time that can be seen like that:


This is just a  short introduction post about this tool , we will come back soon.

Here is Kaspersky link to watch the realtime map.

Enjoy it !!! and catch a picture for your desired country .