This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

Guest Post: Hacker’s Breakfast: TrainACE and n2grate Team Up for a Free Hacking Seminar

The following is a Guest Post from TrainACE. I attended the last Hacker's Breakfast, and found it a very informative training seminar. You can read my thoughts on the last Hacker's Breakfast here.

TrainACE and their cyber security training extension, Advanced Security are announcing another installation in their series of free hacking seminars, dubbed Hacker’s Breakfast. Previously having planned an event with FireEye, they have teamed up with n2grate Government Technology Solutions this time around to host the latest installation featuring multiple speakers and training demonstrations. Blue Coat and Solera Networks will have Subject Matter Expert technicians talk about mission assurance technologies and web-based security.

A difference from this Hacker’s Breakfast and the previous event in the series is the inclusion of live demonstrations. The session for product demonstrations will feature kiosks related to advanced threat protection from Blue Coat, Netronome, and Packet Shaper. Event sponsor Solera Networks will have an exhibit for big data security intelligence and analytics.

The seminar itself will start off with a presentation on web-based security and its significance to mobile workers, social networking, and threat protection. The speakers will address web-based security on a number of devices, covering users who own desktops, laptops, and mobile platforms. Next up on the itinerary will be the break for kiosk. For the rest of the seminar, a session will cover how the Department of Defense and other federal agencies should handle mission-critical program security. The seminar will close with another period allotted to additional product and training demonstrations.

However, the opportunity is only available to Government and Department of Defense employees and the event is capped at 70 registrants. Sign up immediately in order to reserve a place at this leading edge event!

Hacker’s Breakfast will be held at TrainACE in Ashburn, VA on July 24, 2013. The event opens with registration and breakfast at 8:00AM and will finish at 12:30PM.


Learn more and register online here: Hacker’s Breakfast – The FREE Hacking Training Seminar Series by TrainACE.

Recorded Future Announces Cyber Threat Intelligence Application

Recorded Future recently announced the release of their Cyber Threat Intelligence Application. The new app adds a set of real-time trend signals for attackers, TTPs, targets, and hacktivist operations.  You can see what's trending for each of the four categories, brush across entities to see cross-linkages, and drill down on interesting items to dig in and analyze.

The application presents a real-time dashboard of cyber threats, and allows filtering based upon threat, target, operation, or any other criteria.

One of the staff from Recorded Future was kind enough to demo the application for me today, and I am very impressed.

You can get a brief glimpse of the app through the YouTube video.

For examples of the data available, check out my Threat Watch site, which is powered by Recorded Future.


Coming Changes and Improvements to Caffeine Security Blog

Over the past year I've gathered a lot of logs and malware information from my honeypot. The biggest challenge has always been - what to do with the information once I gather it.

I've recently started sharing the more significant events through ThreatConnect, but really feel some of this data should be shared with a wider audience.

I'm thinking of implementing a couple things:

  • Tracking of threat indicators through my Malware Analysis Google Code site's Wiki
  • Tracking of threat attack patterns through Google Calendar
  • ...?

Something else I'm considering is building a "Linux Rescue Disk" for analysis and remediation of malware infected Windows systems. All included software would be 100% open source. Not only would I build this for my own use, but I'd also make an ISO available free of charge.  I know there are distros out there already aimed at doing this, but I'm really considering making my own Caffeine Security branded distro.

Do you have any recommendations on additional methods of using the data I've collected? Or recommendations for my Linux rescue disk? If so I'd love to hear from you.  You can comment below or email me CaffSecBlog <at> Gmail <dot> com

Anonymous #OpPetrol Most Epic #Fail Yet - Full Analysis Of Results

Looking at the "damage" (and I use that term very loosely) done as part of OpPetrol, Anonymous support by actual hackers is fading fast.

Let's take a look at the original target list of what was supposed to be attacked.

United States, Canada, United Kingdom, Israel, Saudi Arabia (only Government), China, Italy, France, Germany, Kuwait (only government) and Qatar (only government)

Hackers News Bulletin released a live list of all the damage done as part of OpPetrol, and it's a rather short list. Let's run through the list and look to see if Anonymous actually succeeded in their operation.

Better grab some popcorn, this is going to be quite entertaining.

Come Join Me On @ThreatConnect and Share Cyber Threat Intelligence

ThreatConnect is a new site providing the ability to share intelligence on Advanced Persistent Threats and other hacking incidents/perpetrators.

I have recently setup an account on the site, and have started adding incidents from my honeypot.

ThreatConnect allows recording and sharing of threat indicators and incidents, including hosts, file hashes, malicious email addresses, and more!



Are you interested in exchanging data? If so, please sign up for an account with ThreatConnect, then send me a connection invite.  The email address you'll need to send the invite is in the screenshot below.


New PHP Malware Source Available for Analysis

After about a month of running my Glastopf honeypot, I've started getting some hits.

You can take a look at the files I've collected (including deobfuscated code) over at my malware analysis site.

One thing which stands out me in some of the malware is that it intentionally hides from being cached by search engines using the following code:

if(!empty($_SERVER['HTTP_USER_AGENT'])) {
    $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
    if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
        header('HTTP/1.0 404 Not Found');
        exit;
    }
}

See something else worth discussing? Post it here!

Unauthenticated Windows CE Telnet Service Vulnerable Configuration

Since this is a Windows CE configuration issue, and not a software vulnerability, I am releasing this information publicly so that software developers can be aware of the issue.

Tonight I stumbled on a quite scary Shodan search which I'd like to share with everyone.

Windows CE Telnet Service

What is the Windows CE Telnet Service?

Apparently Windows CE has a built in telnet service for debugging of applications, as outlined in this MSDN blog post.

Now the truly scary part about all this is that the telnet server has the ability to disable authentication requirements.

[HKEY_LOCAL_MACHINE\COMM\TELNETD]
    "UseAuthentication"=dword:0
    "IsEnabled"=dword:1

 When you do disable the authentication requirements (for debugging purposes only of course), you're greeted with an administrator level command prompt as soon as you connect with telnet.

From there you can perform all sorts of fun things, like restart the device or access any locally stored file - pretty much any command which is typically available at a Windows command line.

Despite the fact that this was only intended for debugging purposes, Shodan found 892 public facing systems with this vulnerability.  Who knows how many thousands more reside behind corporate firewalls, with organizations completely unaware that their devices with embedded Windows are vulnerable to attack.

Vulnerable Windows CE Telnet Services
Clearly, some embedded Windows developers have accidentally left this setting enabled prior to shipping their devices.  One thing which really stands out is that some of the vulnerable systems are KVMs, meaning that should the KVM be compromised, the attacker will have control of all connected systems, and be able to install a keylogger to capture all usernames/passwords.  Since KVMs do not typically have Antivirus installed, this activity may never be noticed.

As I dive deeper into Shodan, I hope to bring more interesting vulnerabilities like this one to light.  Stay tuned!

Using Shodan to Measure The Security of the Internet

Shodan is a search engine for potentially vulnerable computer systems, based upon header information.

It allows you to perform a lot of neat tricks, such as see what your organization's public footprint looks like, as well as your competitors.  You can use it to find interesting devices such as routers, webcams, printers, etc.

I performed the following searches to see just how many glaringly obvious vulnerable systems are exposed to the internet.

First search: "IIS/5.0".  This search will produce systems which are running Windows 2000 with an IIS web server.  Of course Windows 2000 and IIS 5.0 are no longer supported by Microsoft, and multiple vulnerabilities are publicly known.

So needless to say, I was quite disturbed when I found half a million exposed IIS/5.0 webservers.

IIS 5.0 on Windows 2000
Surely no one would be running a version of Windows older than Win 2000, and connect it to the Internet, right?