Endpoint security software faces a tough challenge — it needs to be able to rapidly distinguish between desired and unwanted behavior with few false positives and false negatives, and attackers work hard to obfuscate (or cloak) their malicious code to prevent detection by security scanners. To maximize protection, security software wants visibility into attack chainsContinue reading “Defensive Technology: Antimalware Scan Interface (AMSI)”
Category Archives: security
Attack Techniques: Encrypted Archives
Tricking a user into downloading and opening malware is a common attack technique, and defenders have introduced security scanners to many layers of the ecosystem in an attempt to combat the technique: With all this scanning in place, attackers have great incentives to try to prevent their malicious code from detection up until the momentContinue reading “Attack Techniques: Encrypted Archives”
Attack Techniques: PayPal Invoice Scams
Today in “Attack techniques so stupid, they can’t possibly succeed… except they do!” — we look at Invoice Scams. PayPal and other sites allow anyone (an attacker) to send anyone (their victims) an invoice containing the text of the attacker’s choosing. In this attack technique, PayPal sends you an email suggesting that the attacker alreadyContinue reading “Attack Techniques: PayPal Invoice Scams”
Attack Techniques: Trojaned Clipboard
Today in “Attack techniques so stupid, they can’t possibly succeed… except they do!” — the trojan clipboard technique. In this technique, the attacking website convinces the victim to paste something the site has silently copied to the user’s clipboard into a powerful and trusted context. A walkthrough of this attack can be found in theContinue reading “Attack Techniques: Trojaned Clipboard”
Authenticode in 2024
My 2021-2024 Authenticode certificate expired yesterday, so I began the process of getting a replacement last week. As in past years, I again selected a 3 year OV certificate from DigiCert. Validation was straightforward. After placing my order, I got a request for high-resolution photos of me holding my ID (I sent my passport andContinue reading “Authenticode in 2024”
Attack Techniques: Remote Control Software
In yesterday’s post, I outlined the two most successful (and stupid simple) attack techniques that you might not expect to work (and you’d be so very wrong): Today, let’s explore number 3: “Please give me control of your computer so I can, uh, fix it?“ In this attack, an attacker convinces you that there’s someContinue reading “Attack Techniques: Remote Control Software”
Attack Techniques: Full-Trust Script Downloads
While it’s common to think of cyberattacks as being conducted by teams of elite cybercriminals leveraging the freshest 0-day attacks against victims’ PCs, the reality is far more mundane. Most attacks start as social engineering attacks: abusing a user’s misplaced trust. Most attackers don’t hack in, they log in. The most common cyberattack is phishing:Continue reading “Attack Techniques: Full-Trust Script Downloads”
ERR_BLOCKED_BY_CLIENT and HTML5 Sandbox
Recently, many Microsoft employees taking training courses have reported problems accessing documents linked to in those courses in Chrome and Edge. In Edge, the screen looks like this: But the problem isn’t limited to Microsoft’s internal training platform, and can be easily reproduced in Chrome: What’s going on? There are a number of root causesContinue reading “ERR_BLOCKED_BY_CLIENT and HTML5 Sandbox”
Browser Security Bugs that Aren’t: JavaScript in PDF
A fairly common security bug report is of the form: “I can put JavaScript inside a PDF file and it runs!” For example, open this PDF file with Chrome, and you can see the alert(1) message displayed: Support for JavaScript within PDFs is by-design and expected by the developers of PDF rendering software, including commonContinue reading “Browser Security Bugs that Aren’t: JavaScript in PDF”
Attacker Techniques: Gesture Jacking
A few years back, I wrote a short explainer about User Gestures, a web platform concept whereby certain sensitive operations (e.g. opening a popup window) will first attempt to confirm whether the user intentionally requested the action. As noted in that post, gestures are a weak primitive — while checking whether the user clicked orContinue reading “Attacker Techniques: Gesture Jacking”
text/plain 