beyond paste monitoring
play

Beyond paste monitoring Deep information leak analysis Jnis Deri 1 - PowerPoint PPT Presentation

Jul 26, 2023 •340 likes •893 views

TF-CSIRT 56, Tallinn, January 21, 2019 Beyond paste monitoring Deep information leak analysis Jnis Deri 1 Introduction 2 Existing tools 3 Issues with regular expressions 4 Deep processing 5 Pastelyser 6 Closing remarks Jnis Deri

  1. TF-CSIRT 56, Tallinn, January 21, 2019 Beyond paste monitoring Deep information leak analysis Jānis Džeriņš

  2. 1 Introduction 2 Existing tools 3 Issues with regular expressions 4 Deep processing 5 Pastelyser 6 Closing remarks Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 2 / 47 Outline

  3. Many of us have heard of them (e.g., pastebin.com) Used to share text content, usually code Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 3 / 47 What are paste sites

  4. On many sites pastes can be created ”anonymously” As observers we cannot know the communicating parties Non-text content is shared by means of encoding It is not uncommon that sensitive data is shared on these sites Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 4 / 47 What's the big deal?

  5. 1 Introduction 2 Existing tools 3 Issues with regular expressions 4 Deep processing 5 Pastelyser 6 Closing remarks Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 5 / 47 Outline

  6. Most (all?) detectors based on regular expressions Data feed not included (but CIRCL.LU can provide one) Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 6 / 47 CIRCL AIL https://github.com/CIRCL/AIL-framework

  7. Uses Yara for detection Rules based on static strings and regular expressions Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 7 / 47 PasteHunter https://github.com/kevthehermit/PasteHunter

  8. Monitors paste sites But also has leaks from ”Dark Web” Leaks can also be marked as ”verifjed” by the maintainer Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 8 / 47 Hacked emails https://hacked-emails.com

  9. 9 / 47 A commercial ofgering Detect a data breach using realistic pseudo-users (canaries) TF-CSIRT 56, Tallinn, January 21, 2019 Beyond paste monitoring Discovered from a paste: Jānis Džeriņš Breach Insider https://breachinsider.com https://hn.svelte.technology/item/15836426 # Development test for Breach Insider # # https://breachinsider.com # 1. johnnybravo@breachcanary.com:password12345 2. somegiberish@example.com:password12345 Lorem ipsum dolor sit amet, consectetuer adipiscing elit...

  10. Paste monitoring tool developed as a master’s thesis Emphasis on false positive avoidance Uses ”machine learning” (supervised) for classifjcation Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 10 / 47 Leak Hawk http://dilum.bandara.lk/wp-content/uploads/2017/04/ Thesis-Nalinda-Herath.pdf https://github.com/isuru-c/LeakHawk

  11. Twitter bot Activity seems bursty Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 11 / 47 Dump Monitor https://twitter.com/dumpmon

  12. Sources leaks from Dump Monitor Visitors can check their credentials Has an ”API” Used by many tools and organizations Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 12 / 47 Have I been pwned? https://haveibeenpwned.com/

  13. 1 Introduction 2 Existing tools 3 Issues with regular expressions 4 Deep processing 5 Pastelyser 6 Closing remarks Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 13 / 47 Outline

  14. Pros: A Domain Specifjc Language (DSL) for string matching Relatively easy to write/read Simple subset the same across implementations Cons: One-dimensional Easy to get wrong Finite automatons over limited alphabets Usefulness degrades rapidly Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 14 / 47 Overview Good for high result effort ratio (i.e., low-hanging fruit)

  15. [a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}:[a-zA-Z0-9_-]+ ↑ ↑ passphrase separator and alphabet TF-CSIRT 56, Tallinn, January 21, 2019 Beyond paste monitoring Jānis Džeriņš Not all usernames are email addresses 15 / 47 Permissive credential rule (unused) Restrictive credential rule (no symbols, latin-based) Limited alphabets \b([@a-zA-Z0-9._-]{5,})(:|\|)(.*)\b ↑ ↑ passphrase separator alphabet (colon or vertical bar)

  16. 15 / 47 Restrictive credential rule (no symbols, latin-based) TF-CSIRT 56, Tallinn, January 21, 2019 Beyond paste monitoring Jānis Džeriņš Not all usernames are email addresses Permissive credential rule (unused) Limited alphabets \b([@a-zA-Z0-9._-]{5,})(:|\|)(.*)\b ↑ ↑ passphrase separator alphabet (colon or vertical bar) [a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}:[a-zA-Z0-9_-]+ ↑ ↑ passphrase separator and alphabet

  17. 15 / 47 Restrictive credential rule (no symbols, latin-based) TF-CSIRT 56, Tallinn, January 21, 2019 Beyond paste monitoring Jānis Džeriņš Not all usernames are email addresses Permissive credential rule (unused) Limited alphabets \b([@a-zA-Z0-9._-]{5,})(:|\|)(.*)\b ↑ ↑ passphrase separator alphabet (colon or vertical bar) [a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}:[a-zA-Z0-9_-]+ ↑ ↑ passphrase separator and alphabet

  18. Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 16 / 47 Not emails tinkertoolleveling@1.10.2-1.0.1.DEV D_2566UHx@2296.wav big_279@2x.png postfix@-.service ShowWindow@user32.dll app@com.ultrasoft.runtracker.apk this@expand.layoutParams.height 0..@rules.length endexp-@pokemon.exp curve25519-sha256@libssh.org en@quot.po

  19. The same character can be encoded difgerently in source document Not really a fault of regular expressions Can’t apply regular expressions on raw input Bytes are not characters! Consider ISO-8859-* vs. UTF-8 vs. UTF-16 (big/little-endian) Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 17 / 47 Text encodings (character sets)

  20. Beyond paste monitoring Jānis Džeriņš TF-CSIRT 56, Tallinn, January 21, 2019 18 / 47 Context (un)awareness (1) <item>hxxp://marc.info/?l=bugtraq&amp;m=109778914829901&amp;w=2</item> <item>hxxp://marc.info/?l=bugtraq&amp;m=109810854031673&amp;w=2</item> ^^^^^^^^^^^^^^^ valid 15-digit card number

  21. Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 19 / 47 Context (un)awareness (2) ... 1360 1432 1568 1776 768 771 781 798 -hsync +vsync (47.7 kHz d) ... 1400 1488 1640 1880 1050 1052 1064 1082 +hsync +vsync (64.9 kHz d) ... 1360 1432 1568 1776 768 771 781 798 -hsync +vsync (47.7 kHz d) ^^^^^^^^^^^^^^^^^^^ valid 16-digit card number

  22. Beyond paste monitoring Jānis Džeriņš TF-CSIRT 56, Tallinn, January 21, 2019 20 / 47 Context (un)awareness (3) sublist("598538796879851");Like("170594743025055"); Like("485981418139187");Like("623725484361182"); ^^^^^^^^^^^^^^^ valid 15-digit card number

  23. 7375 626c 6973 7428 2235 3938 3533 3837 sublist("5985387 3936 3837 3938 3531 2229 3b4c 696b 6528 96879851");Like( 2231 3730 3539 3437 3433 3032 3530 3535 "170594743025055 2229 3b0a 4c69 6b65 2822 3438 3539 3831 ");.Like("485981 3431 3831 3339 3138 3722 293b 4c69 6b65 418139187");Like 2822 3632 3337 3235 3438 3433 3631 3138 ("62372548436118 3222 293b 2"); TF-CSIRT 56, Tallinn, January 21, 2019 Beyond paste monitoring 21 / 47 Jānis Džeriņš It is obvious to us that those were not credit card numbers How do we transfer that knowledge into software we write? Context (un)awareness (4)

  24. 21 / 47 It is obvious to us that those were not credit card numbers How do we transfer that knowledge into software we write? TF-CSIRT 56, Tallinn, January 21, 2019 Beyond paste monitoring Jānis Džeriņš Context (un)awareness (4) 7375 626c 6973 7428 2235 3938 3533 3837 sublist("5985387 3936 3837 3938 3531 2229 3b4c 696b 6528 96879851");Like( 2231 3730 3539 3437 3433 3032 3530 3535 "170594743025055 2229 3b0a 4c69 6b65 2822 3438 3539 3831 ");.Like("485981 3431 3831 3339 3138 3722 293b 4c69 6b65 418139187");Like 2822 3632 3337 3235 3438 3433 3631 3138 ("62372548436118 3222 293b 2");

  25. 1 Introduction 2 Existing tools 3 Issues with regular expressions 4 Deep processing 5 Pastelyser 6 Closing remarks Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 22 / 47 Outline

  26. We want [partial] parsers instead of regular expressions Domain part of emails is a domain All domain name rules/constraints apply Existence of an MX record useful, but not necessary URLs (URIs) have a strict syntax Credentials (limited alphabet) are ”embedded” Special rules for ”host” part (can be IPv4/IPv6 address) Programming language syntax awareness Variables vs. values Strings (quoted) Jānis Džeriņš Beyond paste monitoring TF-CSIRT 56, Tallinn, January 21, 2019 23 / 47 Beyond regular expressions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Doubling FreeBSD request-response throughputs over TCP with PASTE Michio Honda, Giuseppe Lettieri

Doubling FreeBSD request-response throughputs over TCP with PASTE Michio Honda, Giuseppe Lettieri

Doubling FreeBSD request-response throughputs over TCP with PASTE Michio Honda, Giuseppe Lettieri AsiaBSDCon 2019 Contact: @michioh, micchie@sfc.wide.ad.jp Code: https://micchie.net/paste/ Paper:

290 views • 26 slides
CHARACTERIZATION A AND COMPRESSIVE STRENGTH O OF GEOPOLYMER P PASTE BASED ON FLY ASH By By :

CHARACTERIZATION A AND COMPRESSIVE STRENGTH O OF GEOPOLYMER P PASTE BASED ON FLY ASH By By :

TH ICRMCE , 11 ST - 12 ND JULY 2018 4 TH 11 ST 12 ND CHARACTERIZATION A AND COMPRESSIVE STRENGTH O OF GEOPOLYMER P PASTE BASED ON FLY ASH By By : Ari ri Widay idayan anti ti, , Ria ia A.A .A. . Soe Soemitr mitro, , Hita Hitapriy

529 views • 12 slides
The Inexpensive Lon Safko Presentation Kit Accessories PASTE YOUR COMPANY NAME HERE (From

The Inexpensive Lon Safko Presentation Kit Accessories PASTE YOUR COMPANY NAME HERE (From

The Inexpensive Lon Safko Presentation Kit Accessories PASTE YOUR COMPANY NAME HERE (From Business Card) Microphones Refreshments Note Pad Projector For Presentation Screen, www.LonSafko.com Set up in front of monitor and go to

192 views • 4 slides
Micro-spectroscopic investigations of the Al and S speciation in hardened cement paste 1 ,R.

Micro-spectroscopic investigations of the Al and S speciation in hardened cement paste 1 ,R.

Nuclear Energy and Safety Research Department Laboratory for Waste Management PAUL SCHERRER INSTITUT Micro-spectroscopic investigations of the Al and S speciation in hardened cement paste 1 ,R. Dhn 1 , B. Lothenbach 2 , M. Vespa 1 E.

646 views • 52 slides
D O NOT COPY &amp; PASTE ! N O REPLICATIONS IN SYNTACTIC DERIVATIONS Hubert Haider FB

D O NOT COPY &amp; PASTE ! N O REPLICATIONS IN SYNTACTIC DERIVATIONS Hubert Haider FB

D O NOT COPY &amp; PASTE ! N O REPLICATIONS IN SYNTACTIC DERIVATIONS Hubert Haider FB Linguistik &amp; Centre for Cognitive Neuroscience I GRA Workshop on Replicative Processes in Language Univ. Leipzig, July 8 th -9 th , 2016 Odd-ball

462 views • 33 slides
QUANTIFYING THE IMPROVEMENTS IN THE SOLDER PASTE PRINTING PROCESS FROM STENCIL NANOCOATINGS AND

QUANTIFYING THE IMPROVEMENTS IN THE SOLDER PASTE PRINTING PROCESS FROM STENCIL NANOCOATINGS AND

Originally published at the International Conference on Soldering and Reliability, Toronto, Ontario, Canada, May 13, 2014 QUANTIFYING THE IMPROVEMENTS IN THE SOLDER PASTE PRINTING PROCESS FROM STENCIL NANOCOATINGS AND ENGINEERED UNDER WIPE

929 views • 50 slides
MAC C Engineering neering and d Equipment ipment Company pany, , Inc. 1) New and improved

MAC C Engineering neering and d Equipment ipment Company pany, , Inc. 1) New and improved

MAC C Engineering neering and d Equipment ipment Company pany, , Inc. 1) New and improved ways to help reduce paste and paste dust from transferring down the line. 2) Tighter enclosures, more attention to ventilation to help keep lead

715 views • 5 slides
Sorting a Permutation by Cut-and-Paste Moves Daniel W. Cranston Virginia Commonwealth University

Sorting a Permutation by Cut-and-Paste Moves Daniel W. Cranston Virginia Commonwealth University

Sorting a Permutation by Cut-and-Paste Moves Daniel W. Cranston Virginia Commonwealth University dcransto@dimacs.rutgers.edu Joint with Hal Sudborough and Doug West. Discrete Math Minisymposium, MathFest 6 August 2009 Definitions and an

896 views • 68 slides
An Ethnographic Study of Copy and Paste Programming Practices in OOPL Miryung Kim 1 , Lawrence

An Ethnographic Study of Copy and Paste Programming Practices in OOPL Miryung Kim 1 , Lawrence

An Ethnographic Study of Copy and Paste Programming Practices in OOPL Miryung Kim 1 , Lawrence Bergman 2 , Tessa Lau 2 , and David Notkin 1 Department of Computer Science and Engineering University of Washington 1 , IBM T.J. Watson Research

579 views • 32 slides
Cut &amp; Paste machine was born Andrew Kuznetsov Institute of Biology III, Freiburg University,

Cut &amp; Paste machine was born Andrew Kuznetsov Institute of Biology III, Freiburg University,

Cut &amp; Paste machine was born Andrew Kuznetsov Institute of Biology III, Freiburg University, Germany {Brains Phenotypes and Insects' International Nerdweek} Puebla, Pue. Mex. 6-12 March 2005 Introduction Computation by DNA-as-string

408 views • 13 slides
D O NOT COPY &amp; PASTE ! N O REPLICATIONS IN SYNTACTIC DERIVATIONS Hubert Haider FB Linguistik

D O NOT COPY &amp; PASTE ! N O REPLICATIONS IN SYNTACTIC DERIVATIONS Hubert Haider FB Linguistik

06.07.2016 D O NOT COPY &amp; PASTE ! N O REPLICATIONS IN SYNTACTIC DERIVATIONS Hubert Haider FB Linguistik &amp; Centre for Cognitive Neuroscience Workshop on Replicative Processes in Language Univ. Leipzig, July 8 th -9 th , 2016 R

406 views • 15 slides
10 Sed, cut, and paste CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano

10 Sed, cut, and paste CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano

10 Sed, cut, and paste CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano February 13, 2019 Cornell University 1 Table of Contents 1. Cutting 3. Interlude: xargs and shift 4. Pasting 5. Splitting and Joining 2 2. The

560 views • 30 slides
Software Clones in Scratch Projects On the Presence of Copy-and-Paste in Computational Thinking

Software Clones in Scratch Projects On the Presence of Copy-and-Paste in Computational Thinking

What is CT? Scratch and assessment of CT Research paper Software Clones in Scratch Projects On the Presence of Copy-and-Paste in Computational Thinking Learning Gregorio Robles, Jes us Moreno, Efthimia Aivaloglou, and Felienne Hermans

387 views • 19 slides
Fly Ash-Based Paste Presented by : Kiki Dwi Wulandari Januarti Jaya Ekaputri Triwulan Chikako

Fly Ash-Based Paste Presented by : Kiki Dwi Wulandari Januarti Jaya Ekaputri Triwulan Chikako

Effects of Microbial Agents to The Properties of Fly Ash-Based Paste Presented by : Kiki Dwi Wulandari Januarti Jaya Ekaputri Triwulan Chikako Fujiyama Davin H.E. Setiamarga Solo, July 12 th 2018 Department of Civil Engineering, Institut

288 views • 14 slides
Interactive Data Integration through Smart Copy and Paste Zachary G. Ives Craig A. Knoblock

Interactive Data Integration through Smart Copy and Paste Zachary G. Ives Craig A. Knoblock

Interactive Data Integration through Smart Copy and Paste Zachary G. Ives Craig A. Knoblock Steven Minton Marie Jacob Partha Pratim Talukdar Rattapoom Tuchinda Jose Luis Ambite Maria Muslea Cenk Gazen Univ.

440 views • 15 slides
STENCIL AND SOLDER PASTE INSPECTION EVALUATION FOR MINIATURIZED SMT COMPONENTS Robert Farrell

STENCIL AND SOLDER PASTE INSPECTION EVALUATION FOR MINIATURIZED SMT COMPONENTS Robert Farrell

Originally published in the Proceedings of SMTA International, Ft. Worth, TX, October, 2013 STENCIL AND SOLDER PASTE INSPECTION EVALUATION FOR MINIATURIZED SMT COMPONENTS Robert Farrell Benchmark Technologies Nashua, NH USA Chrys Shea Shea

658 views • 43 slides
Qishu Chen Xuechen Feng Lianhao Qu Yu Wan Wanqiu Zhang Columbia University December 2012

Qishu Chen Xuechen Feng Lianhao Qu Yu Wan Wanqiu Zhang Columbia University December 2012

Qishu Chen Xuechen Feng Lianhao Qu Yu Wan Wanqiu Zhang Columbia University December 2012 Introduction-TrML A simple programming language that allows user to express trigonometry concept, and construct/solve complex trigonometry

452 views • 13 slides
Computer Algebra for Lattice Path Combinatorics Alin Bostan FPSAC 2019 Ljubljana, Slovenia

Computer Algebra for Lattice Path Combinatorics Alin Bostan FPSAC 2019 Ljubljana, Slovenia

Computer Algebra for Lattice Path Combinatorics Alin Bostan FPSAC 2019 Ljubljana, Slovenia July 1st, 2019 1 / 36 Alin Bostan Computer Algebra for Lattice Path Combinatorics Computer Algebra for Enumerative Combinatorics Enumerative

903 views • 42 slides
Split-Dollar Life Insurance Arrangements: Exciting Estate Planning Opportunities What Allows

Split-Dollar Life Insurance Arrangements: Exciting Estate Planning Opportunities What Allows

Split-Dollar Life Insurance Arrangements: Exciting Estate Planning Opportunities What Allows Split-Dollar to Function So Well Presented by: Richard L. Harris, CLU AEP TEP Split-Dollar Basics CONSIDER THIS: Take a dollar bill and cut it in

663 views • 23 slides
Statics of Structural Statics of Structural Supports Supports Supports Different types of

Statics of Structural Statics of Structural Supports Supports Supports Different types of

See also pages 5a - 10 in the supplemental notes. Statics of Structural Statics of Structural Supports Supports Supports Different types of structural supports are shown in Table 1. Some physical details for the TYPES OF FORCES idealized

415 views • 9 slides
State Taxation of Cloud Computing Houston TEI Tax School Jeffrey S. Reed February 4, 2014

State Taxation of Cloud Computing Houston TEI Tax School Jeffrey S. Reed February 4, 2014

State Taxation of Cloud Computing Houston TEI Tax School Jeffrey S. Reed February 4, 2014 (212) 506-2104 jreed@mayerbrown.com Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the

445 views • 20 slides
Combining Rules and Ontologies Embedding Non-Ground Logic Programs into Autoepistemic Logic Jos

Combining Rules and Ontologies Embedding Non-Ground Logic Programs into Autoepistemic Logic Jos

Combining Rules and Ontologies Embedding Non-Ground Logic Programs into Autoepistemic Logic Jos de Bruijn Digital Enterprise Research Institute (DERI) University of Innsbruck, Austria jos.debruijn@deri.org Joint work with: Thomas Eiter (TU

224 views • 19 slides
Federal Acquisition Regulation: Small Business Subcontracting Improvements FAC 2005-89, FAR Case

Federal Acquisition Regulation: Small Business Subcontracting Improvements FAC 2005-89, FAR Case

Federal Acquisition Service Federal Acquisition Regulation: Small Business Subcontracting Improvements FAC 2005-89, FAR Case 2014-003 Implementation Under Multiple Award Schedules 1 Federal Acquisition Service FAR rule (FAC 2005-89/FAR case

435 views • 9 slides
Challenges and opportunities in reliability engineering: the big KID (Knowledge, Information and

Challenges and opportunities in reliability engineering: the big KID (Knowledge, Information and

Challenges and opportunities in reliability engineering: the big KID (Knowledge, Information and Data) Enrico Zio Chair on Systems Science and the Energy Challenge CentraleSupelec, Fondation Electricit de France (EDF), France Energy

712 views • 59 slides

More recommend