While lacking the sex appeal of memory corruption based attacks, phishing remains a problem for many end users. Defenses against phishing have not advanced significantly in years. Mostly in boils down to more attempts to phish your own people. In this presentation I explored new approaches to detection using perceptual hashing.
While many of my colleagues were away at Blackhat, Defcon, and Bsides Las Vegas I decided to spend a day exploring through an Android app. I became interested in this particular app due to it being the “official” app of a popular web service that included some functionality not exposed to end users through the API that they’ve provided. I was reasonably sure that some spammers on this web service were using this functionality and I was interested to see just how difficult it was to do.
Dale Peterson and I demonstrate how using commonly available tools an attacker can learn how firmware is loaded into two different Programmable Logic Controller (PLC) Ethernet cards, write his own malicious firmware, and load that malicious firmware into the field device Ethernet cards.
This paper and accompanying presentation was first presented at Blackhat USA 2007 and DEFCON 15 (OX0F). Ben Feinstein and I explore the browser as an increasingly ubiquitous target for attacks.