Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[LHS Microcast] Interview w/ Jen Ellis

Martin and I took the time to sit down with Jen Ellis at DEF CON this year to discuss the legal system in the US and how it effects researchers and hackers, how the system is flawed, and what steps we should be taking to influence future legal measures. Jen also gives us a little background into the Wassenaar Arrangement and what it could mean to researchers internationally.


[Download MP3]

Taking out the Eurotrash

eurotrash_sqRegular listeners are probably already aware by now, that the Eurotrash is no more! As with all good things, there had to be an end, and with the last Christmas episode, we got the old crew back together for one last go around! We’d like to say that we’re throwing in the towel because our efforts to solve world hunger and push the middle east peace process through is taking up most of our time, but if I did I’d only be telling half the truth.

A While ago the crew decided that we weren’t having enough time to record and edit the way we wanted to… as you can see, the number of episodes in 2014 was down on the previous years, because of lack of time and so many other projects. So, something had to give. We hope you’ve had a fun journey with us over the years, and it’s been a pleasure to do.

So, thank you Ben, Craig, Dale, Wim… thank you to the guests over the years for putting up with our silly questions… and most of all, thank YOU the listeners for making us want to do this thing again and again until our hands bled from the editing, and our families were starving on the streets*

So, this Christmas time, don’t cry for us! Light a candle (or a cigarette), and raise a glass (or a bottle of vodka) to the Eurotrash Security Podcast… gone but not forgotten! Episode 50: The Final One… evar

“Doesn’t Ben look hawt in his new work outfit!”

Note: Past episodes will remain available on http://eurotrashsecurity.eu until such time as  Craig gets so drunk that he forgets to renew the domain… or he pawns it to buy cheap aftershave! So probably a few months at least ;)

* Not actually starving

All good things must come to an end

By the time you read this, I will be gone… no, not like that! Let me start at the beginning.

Back in 2008 (when I was still young and almost had hair) I joined a small team (actually it was just 1 person if I remember rightly) at an Austrian company called Raiffeisen Informatik (I think that’s the first time I’ve written that on the blog… for obvious reasons). It was my first job since moving to Austria, and despite my lack of German skills (I could just about say “hello” and “goodbye” at the time) they took the chance on me. I’d like to think it paid off… but who am I to say.

It’s been more than 6 years since that day, and the team at what became R-IT CERT has expanded from it’s early days considerably. As the title suggests, today was my last day at R-IT CERT… and it’s a bitter sweat ending. I’ve enjoyed my time working with the great members of the team, and had a lot of great challenges. Working at R-IT CERT has given me a lot of freedom to do interesting and unique projects… but I’m really looking forward to the new challenges that are ahead of me. More details on that as and when!

[DeepSec 2014] Advanced Powershell Threat: Lethal Client Side Attacks using Powershell


Advanced Powershell Threat: Lethal Client Side Attacks using Powershell – Nikhil Mittal

APT – A buzzword which refuses to die. Lets have some fun with it, lets move it to powershell. This talk would focus on using powershell for Client Side Attacks.

Powershell is an ideal platform for client side attacks as it is available on all the Windows machines. We would see how easy and effective it is to use powershell for various client side attacks like drive-by-downloads, malicious attachments, Java applets, Human Interface Devices etc.

The payloads which would be used with these attacks include in-memory code execeution, dump passwords and system secretsin plain text, backdoors, keyloggers, moving to other systems, reverse shells etc.

The code used in the above talk will be released as open source. The talk would be full of live demonsrations.

Client-side Attacks

Why Client-side attacks

  • Server-side is being locked down, so attacks are moving more to the client-side
  • Often client-side is less secured and not prioritized for patching compared to the server-side systems
  • The perimeter-ized network is still the norm
  • Less chance of being discovered when the attack begins from the inside of the network
  • Users are too familiar with their systems, and tend to feel over-confident about their security

To avoid detection it’s best to not use exploitation or memory corruption attacks to avoid being detected by possible host-based IDS/IPS or Anti-virus.

What is Powershell / Why Powershell

Tasked-based command line shell and scripting language designed for system administrators

Powershell is already present on the majority of your target systems and is a powerful method to reside in the system. It also provides easy access to things such as the .Net classes, WMI, Windows API, WinRM, Registry, etc…

Anything we can do to reduce our dependance on Metasploit and possibly detectable tools is a good thing.

Tools to create malicious client-side files


Used to create “armed” or “infected” MS Word documents


Same as Out-Word, but for Excel files.


Creates an executable HTML application to send to the user that triggers Powershell


Creates an executable JAR file to launch Powershell


Creates a malicious .lnk file that points to the Powershell on the users machine to trigger specific actions. Can also set a hotkey on the shortcut so the link is triggered whenever the user clicks a specific key combination.


Creates compiled HTML Help Files to execute Powershell commands. Can be customized to include real help information to fool a user.


  • Don’t click stuff! Teach your users to not trust content from external sources
  • Removal of VBA from MS Office would help specific attacks
  • Active monitoring of users machines may help detect such attacks
  • Remove powershell access to users who don’t need it (block/limit the user)



Get every new post delivered to your Inbox.

Join 2,472 other followers