Re: Job Posting

Jun. 17th, 2009 03:30 pm
foxgrrl: (Default)
By the way, my company is still looking for a malware analyst sort-of person. Really, if you can read a .pcap and write Snort signatures you're skilled enough for this position. Send me your infoz if you want an interview.

Oh yeah, you need to be able to work in San Jose, CA.
  • Current Mood: busy
  • Current Location: Work
Tags:
  • Add Memory
  • Share This Entry

Permutation Question

Jun. 5th, 2009 08:12 am
foxgrrl: (Default)
I'm trying to figure out how long it takes for a particular shuffling algorithm to cycle for a particular number of elements. The algorithm is to count from 1 to M, moving the character at position M mod N (N:=number of elements) to the end, and moving everything down so there's no space. [i.e. (indexed from 1 here) g(1,"ABCDEF")="BCDEFA", then g(2,"BCDEFA")="BDEFAC", then g(3,"BDEFAC")="BDFACE", eventually this will cycle; How long? (30 in this example (That's M).)] I've stumped The On-Line Encyclopedia of Integer Sequences, I want to find f() which generates the following sequence, and I don't want to think about this too hard, and I don't have my Knuth books handy (I think it involves factorials).

What is f()?
f(2) = 2
f(3) = 4
f(4) = 9
f(5) = 20
f(6) = 30
f(7) = 36
f(8) = 28
f(9) = 72
f(10)= 36
f(11)= 280
f(12)= 110
f(13)= 108
f(14)= 182
f(15)= 168
f(16)= 75
f(17)= 1120
f(18)= 306
f(19)= 432
f(20)= 190
f(21)= 140
f(22)= 4410
f(23)= 2772
f(24)= 2530
f(25)= 1440
f(26)= 650
f(27)= 3120
f(28)= 243
f(29)= 812
f(30)= 870
f(31)= 1800
f(32)= 186
f(33)= 1056
f(34)= 10164
f(35)= 1428
f(36)= 2100
f(37)= 35640
f(38)= 1110
f(39)= 14212
  • Current Mood: sleepy
  • Current Location: Mountain View, CA
Tags:
  • Add Memory
  • Share This Entry

Job Posting

May. 1st, 2009 12:12 pm
foxgrrl: (Default)
My company is finally hiring someone else to do all the busybody work I don't have time for. Don't worry about the BS degree; if you can write an exploit, for any vulnerable program I give you, then you're qualified. (Actually, if you've ever touched IDA, and know how to read analyze .pcaps, you're qualified. If I can give you a mystery program, and you can tell me what it does, you're qualified. You must be able to act like a mature responsible adult when interacting with other people.)

Update: You can email me at juliavixen $40 gmail.com If you don't understand that email address stop now. If it was up to me, I'd have everyone send me their stuff in flat in 7-bit ASCII, but since I'm just handing this stuff off the the appropriate manager, all those newfangled dynamic-content enabled document formats are ok. I'll be checking the .DOCs and .PDFs for exploits, if I find any 0-days you get the job. My GPG Public Key if you need it. The job is right on the border of San Jose and Milpitas in Ciscoville.


I didn't write this:

Job Description for the Security Research Engineer

Duties and responsibilities:

The main responsibilities for this position include: (1) keeping track of vulnerability disclosure and malware (with focus on botnet, spyware, and other Trojans that engage in network-based activities) development, (2) performing false positive checking for detection signatures, and (3) conducting detailed analysis of malware behaviors, through code reverse engineering and live behavior studies.

Qualifications

Professional experience:

The candidate should have at least two years of experience in the security field, especially with skills in malicious code analysis. Good knowledge in security vulnerability, exploitation, and Windows OS internals are expected. Solid programming skills are required. Working knowledge of TCP/IP stack and familiarity with network traffic tools are also required. Examples of relevant industries include AV, IDS/IPS/IDP, Web and Message security.

Personality:

Must be hardworking, a self-starter, and effective in a small-team environment.

Formal education:

BS degree in CS/EE or equivalent experience.
  • Current Mood: okay
  • Current Location: Mountain View, CA
Tags:
  • Add Memory
  • Share This Entry

How to Break into the Malware Analyst Field

Apr. 11th, 2009 10:10 am
foxgrrl: (Default)
A reader asks:

How can I get a job looking at malware? I worked at a company that was exposed to lots and lots of stuff targeting Chinese dissident groups and got pretty good at analyzing, tracking and spotting it. Do you know anyplace that I could go to do this for a living?
Any input appreciated


I don't have time to write a proper response to this, so perhaps you, the reader, can offer some advice.
  • Current Mood: good
  • Current Location: Oakland, CA
Tags:
  • Add Memory
  • Share This Entry

(no subject)

Apr. 1st, 2009 08:55 pm
foxgrrl: (Default)
		call	InternetGetConnectedState
		test	eax, eax
		jz	short loc_9A3C5C
		lea	eax, [ebp+12Ch+SystemTime]
		push	eax		; lpSystemTime
		call	ebx ; GetLocalTime
		cmp	[ebp+12Ch+SystemTime.wYear], 7D9h
		ja	short loc_9A3C37
		jnz	short loc_9A3C4D
		cmp	[ebp+12Ch+SystemTime.wMonth], 4
		ja	short loc_9A3C37
		jnz	short loc_9A3C4D
		cmp	[ebp+12Ch+SystemTime.wDay], 1
		jb	short loc_9A3C4D


The above sequence of code has been the bane of my existence this week. It's the date check for April 1, 2009 from the Conficker.C worm. As with many other viruses in the past with a specific date that they do something, there is tremendous media hype surrounding this. So, I had not been analyzing this worm for the last few months, because everyone else had it covered, and I had other stuff to do, but now because of the media hype my company wants to have something published on it for marketing reasons. Since everyone else [see above] has published almost everything about it, there isn't much else for me to say. So I'm reversing the P2P protocol in Conficker.C, because it's the only part left… because it's the hardest part to understand. Anyway, I think I'll at least have figured out the IP address to UDP Port calculation soon, so I can write a scanner/Snort rule, for the P2P protocol. Anyway, don't interrupt me in the meantime…

(I was also going to write up a full analysis of the shellcode used in Conficker.A and Conficker.B, as no one else has really gone into detail there. (But the additional detail isn't really useful to know if you only care about detecting it. But I can describe who the authors copied most of their shellcode from (it's slightly modified MSF). Anyway, it'll be interesting to someone, but the P2P thing will get media attention.)

(Note: I'm not complaining. I'd much rather be reversing malware than working on what I was supposed to be doing this week.)
  • Current Mood: rushed
  • Current Location: Oakland, CA
Tags:
  • Add Memory
  • Share This Entry

What do I do for a living?

Mar. 16th, 2009 09:23 pm
foxgrrl: (Default)
A question I am frequently asked is: What do you do for a living?

I'll usually say something like I'm a malware analyst. — although that's an incomplete answer. And they'll say What's malware? And I'll try to explain it to them, but they're too impatient for more than a one sentence explanation. And so I say stuff about hacking and computer viruses and spam, in about two or three sentences, which don't penetrate their skull. (Since they didn't really want to know the answer, they were just making small talk.) And in frustration I'll say something like I break into computers for a living. And then they're like Oh! But that's not really what I do either. And If you've ever seen my CV, you'll note that I do a lot of different, hard-to-explain things. Like Reverse engineering, exploit development, vulnerability analysis, tool development, and even some QA work (tracking down the root cause of the really hard bugs).

The only really succinct response I've come up with is that I stare at the 1's and 0's, and explain what's going on in English. (Or that I'm just really smart at people.)
  • Current Mood: good
  • Current Location: Mountain View, CA
Tags:
  • Add Memory
  • Share This Entry

I'm in Texas! Yee-Haw!

Jan. 29th, 2009 08:30 pm
foxgrrl: (Default)
I'm in Texas! Yee-Haw! OMG! Why is is so cold here?! There's ice on everything! It's supposed to be warm in Texas, what's going on?

UPDATE: If I wasn't in Texas, I'd be at this: She's Geeky and possibly Super Happy Dev House 30. Both close to my house in Mountain View, CA… Where I spend very little time these days.
  • Current Mood: excited
  • Current Location: 32.974583,-96.718464
Tags:
  • Add Memory
  • Share This Entry

(no subject)

Nov. 28th, 2007 01:23 am
foxgrrl: (Default)
This is what I actually do for a living, seriously:

http://xkcd.com/350/

Speaking of which, I'm (or should be) working on an abstract for a presentation for Security Opus and Black-Hat Europe, next spring. I'm not 100% certain what I'm going to talk about, since I'm still researching it, so it will be sufficiently vague that I can fill in the details… once I have them. Considering how many talks never match up the the vague blurbs in the schedules, I think most presenters do this.

Anyway, what would you, the LJ-reading audience, like to hear me give a presentation on?

[Poll #1096517]

There are some other projects I have too, that I could probably talk about, but I don't think I'll have them done in time.
  • Current Mood: silly
  • Current Location: Mountain View, CA
Tags:
  • Add Memory
  • Share This Entry

Birthday Parties and Toorcon

Oct. 19th, 2007 12:14 am
foxgrrl: (Default)
I'm afraid that I have to miss [livejournal.com profile] unseelie and [livejournal.com profile] nisaa's birthday party; And also [livejournal.com profile] dalloftheabove's birthday party too — I really really want to go, but I'm going to be in San Diego this weekend for Toorcon.
  • Current Mood: divided
  • Current Location: Mountain View, CA
Tags:
  • Add Memory
  • Share This Entry

Paranoia

Nov. 27th, 2006 01:11 am
foxgrrl: (Default)
The morning after I made this post: http://foxgrrl.livejournal.com/50642.html I walked into work — that afternoon actually — and was making random chit-chat with a coworker — [livejournal.com profile] flint_otter actually — and he said that he was reading this article on C|Net about how there was some new super-exploit already for the recent Windows vulnerability, and I'm like: Yeah, the MS06-070 one, I just wrote an exploit for it last night. And he's like, No it's something really new as of Tuesday. And I'm like, Yeah, that was MS06-070, unless one of the other ones was horribly exploitable. And he's like, Well, someone just wrote an exploit for it, and it's on the front page of C|Net. And I'm like, Um, I just wrote an exploit for it… And made a mention of it in my blog… Having been around C|Net reporters before, I know that they print a lot of hearsay and rumors from questionable sources. [And as I write this, Nyah keeps trying to tickle me → Just you wait until I write about this in my LJ! I exclaim. It's making it a bit hard to concentrate…]

So, I looked the article up…

http://news.com.com/Experts+raise+Windows+security+alarm/2100-1002_3-6136310.html

Paranoia mounting… Right now, I really don't need nameless cyclopean institutions investigating me… again. Especially, if there's suddenly a huge MS06-070 exploiting-worm outbreak. You know, it looks kinda suspicious, since I told a bunch of people that I write 0-day exploits and internet worms for a living; I might be viewed as a suspect. But I quickly figured out that they were referring to this: http://www.milw0rm.com/exploits/2789 (I still haven't published my MSF3 module anywhere.)

There was a period of time when I wasn't oppressively paranoid all the time, when I wasn't incredibly uptight and stressed out… when I wasn't pretending to be normal. It was right after I transitioned (the first time). In a way, I was really going from one box to another by going stealth - But there was a time in between, when I was outside of the rigid boxes.
Read more... )
  • Current Mood: emergent
  • Current Location: Mountain View, CA
  • Current Music: Celtic Cross — Khatmandu
Tags:
  • Add Memory
  • Share This Entry

MS06-070

Nov. 16th, 2006 05:43 am
foxgrrl: (Default)
As you are all well aware, yesterday was Microsoft Patch Tuesday. One of the vulnerabilities, was basically an anonymous remote root exploit against the default install of Windows 2000 (and maybe XP too). There isn't any POC code floating around on the net yet, so I wrote some to settle an argument.

I'm wondering now if I should release it publicly, or sell it to the highest bidder, or something. It currently does require a Windows Active Directory server, but if I work on it some more, I think I can make it work without requiring a separate windows server. (i.e. to work on Linux/*BSD/OSX alone). (Also, only Win2K targets so far.)

The MS advisory on this, less than useful as always: http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx

And the much more detailed - if remarkably vague in areas - eEye advisory on it: http://research.eeye.com/html/advisories/published/AD20061114.html
There's just enough information to find the vulnerability, and a hint as to how to trigger it, but not any details like about how the JoinOptions flag [arg_6] needs to be 0x01 (you'll want to use RPC function 0x16).

Oh yeah, I was going to mention, that this is also the first exploit I've written in the MSF3. I must say that the NDR and DCERPC libraries made this exploit so much faster and easier to write. (Easier to write than giant blobs of raw binary data, which is how I typically write stuff.)
  • Current Mood: sleepy
  • Current Location: Mountain View, CA
  • Current Music: Front 242 - Official Version
Tags:
  • Add Memory
  • Share This Entry

Publish or Perish

Aug. 24th, 2006 02:34 pm
foxgrrl: (Default)
Now students, can anyone tell me what happens next?
Courtesy LJ cut for large images )
I think that it'll help if I tell you that the heap structure at 0x00BFA8D8 was a free block, originally 0x005E 0x004D 0x01 0x10 0x00 0x00 with the forward and backwards pointers both set to 0x00230178, and I don't know why the fuck I can remember that without having to look it up, when I can't even remember my own postal address most of the time. (Maybe it's like [livejournal.com profile] lurene said, that all the really good reverse engineers/assembly coders are mentally broken in some way.) Anyway, 0x00230178 is the start of the free list (I think), it points back to 0x00BFA8E0.

Anyway, since this is Windows 2K Advanced Server SP0, I could just overwrite one of the function pointers in the PEB, or the TEB... or the SEH, wheee! [I'll explain later...] Although this particular buffer tends to move around a bit in memory, and I've been up all night trying to make the exploit [no you can't have a copy] more reliable. So I've been thinking of using Halvar's trick of building a VirtAlloc structure in the buffer underneath the free block, to get an extra DWORD copy. And with two writes, I think that would be enough to make this reliable, because the pointer to the free block exists in the segment table at 0x00B70027 (I think it was), which I know the address of. And worst case I could leave the original Forward pointer intact, because that does point to the FreeTable entry for itself. (In other words, if I can take the DWORD located at 0x00B70027 -- which points to data from the overflowed buffer, and write it to your favorite function pointer, then the shellcode will be jumped to exactly.)

Maybe.

Either that I'll just have to manipulate the heap list itself in such a way, that I can control where the next buffer will be written (to an address of my choice), write the shellcode there, and then do the overflow again to put this known address in some know location that will jump to it.
Overtired )
  • Current Mood: sleepy
  • Current Location: Mountain View, CA
  • Current Music: Aphex Twin - Inkey$
Tags:
  • Add Memory
  • Share This Entry

www.beesonstuff.com

Jun. 24th, 2006 12:12 am
foxgrrl: (Default)
My life has been getting very interesting very fast. New boss at work – who was my old boss at a previous company. Oh, and Nyah is coming to stay with me ♥ ♥ ♥

There was a bee, taking a short bee-break on my car window at sunset. So I took her picture. (I only had natural light to work with here, so the images aren't as razor-sharp as usual.)
Bees On A Car! )

Here's a cropped image, that's scaled down less than the above. (The original looks just the the above. I was only using a reversed 50mm lens. so there is only one focal-length and magnification.)
Close-Up, Kinda )

I accidentially overexposed one frame, and – this may just be a reflection of the sky – but this bee appears to have blue eyes.
Blue-eyed bee )

They – you know THEY – are shutting down power to our building, where I work, this weekend. So it's a perfect time to completely rewire the QA lab, and do some other IT stuff. Here are some "Before" pictures. Actually, about one third of the equipment has already been pulled out at this point when I took these pictures. So it's not nearly as impressive as it could possibly be... (Taken with my, widest angle, 18mm lens.)
Warning: Do not touch any of these wires )

For whoever it was asking me about the dust reference images: The aperture does matter when trying to image the dust on the CCD. (These were shot with the Nikon ED 55-200mm "G" lens at 200mm. I have lenses with worse vignetting than this. The effect is exaggerated here — I stretched out the curve.) (Yes I cleaned my CDD after this, this was from the recent trip to DC/VA/PA/MD/etc.)
Dust )
  • Current Mood: excited
  • Current Location: Mountain View, CA
  • Current Music: Infected Mushroom - Stretched
Tags:
  • Add Memory
  • Share This Entry

Profile

foxgrrl: (Default)
foxgrrl

May 2023

S M T W T F S
 123456
78910111213
14151617181920
212223242526 27
28293031   

Syndicate

RSS Atom

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Mar. 22nd, 2026 04:47 pm
Powered by Dreamwidth Studios