• Our new papers have been accepted for publication at PST 2013
  
• After the initial months spent in settling down with Trend Micro Research, we have now a couple of papers 'under review'
• A lot of fun together with my friend Raoul Chiesa in Santiago de Chile for 8.8.
• I have been interviewed by Softpedia at HITB Amsterdam
• My Ph.D. thesis is online: Automated Measurements of Novel Internet Threats

• Nov. 2008 - Dec. 2011, Ph.D. at EURECOM & TELECOM ParisTech, under the supervision of Prof. Engin Kirda.
  My Ph.D. thesis is titled Automated Measurements of Novel Internet Threats [ PDF ]
  In the last twenty years, the Internet has grown from a simple, small network to a complex, large-scale system. Attackers are not indifferent to the evolution of the Internet. Often driven by a flourishing underground economy, attackers are constantly looking for vulnerabilities, misconfigurations and novel techniques to access protected and authorized systems, to steal private information, or to deliver malicious content. Traditional vulnerabilities such as buffer overflows or SQL injections are still exploited. However, new alternative attack vectors that leverage unconventional channels on a large scale (e.g. cloud computing) are also being discovered. To date, not much research has been conducted to measure the importance and extent of these emerging Internet threats. Conventional detection techniques cannot easily scale to large scale installations, and novel methodologies are required to analyze and discover bugs and vulnerabilities in these complex systems. In this thesis, we advance the state of the art in large scale testing and measurement of Internet threats. We research into three novel classes of security problems that affect Internet systems that experienced a fast surge in popularity (i.e., ClickJacking, HTTP Parameter Pollution, and commercial cloud computing services that allow the outsourcing of server infrastructures). We introduce the first, large scale attempt to estimate the prevalence and relevance of these problems on the Internet.


• Sept.-Dec. 2007, Internship at SAP Research, Security & Trust, Sophia-Antipolis (France).
  During this internship, I performed research in network security aimed at the integration of wireless sensor networks (WSNs) in enterprise applications (e.g. SAP).


• March 2007, M.Sc. in Computer Engineering at the University of Bergamo (Italy). Final grade of 110/110.
  My M.Sc. thesis is titled Security by Virtualization: a novel antivirus for personal computers. [PDF, Slides ]
  In this work, we introduce a novel security architecture for personal computers based on the virtualization paradigm, in which we move the security services from the user's operating system into a tamper resistance virtual machine layer, or hypervisor. We propose a novel antivirus that intercepts raw I/O disk-sector accesses to conduct low-level virus analysis.


• 2006, Internship in Security R&D at Secunet Security Networks AG, Munich (Germany)
  Research and prototype implementation of an antivirus framework based on virtualization. Adopted technology: QEMU, Linux, C++, Bash/Python.


• 2005, Exchange student at the Norwegian University of Science and Technology (NTNU) of Trondheim, Faculty of Computer Science and Telematics.


• July 2004, B.Sc. in Computer Engineering at the University of Bergamo.
  My B.Sc. thesis is titled A new model of Intrusion Detection System: The Router-IDS [ PDF, Slides ]
  In this thesis, I define and extend the IDS taxonomy with what I called a ``context-based IDS''. The standard taxonomy groups IDSs into host-based and network-based families, depending from the type of information that is processed (host vs network). A context-based IDS, instead, correlates both host-based information and network traffic in order to reduce the amount of false positives, which is among the primary reasons of failure for current network-based IDS.


• 2003, Internship in Security R&D at ICT Consulting S.p.A., Milano (Italy)
  During this internship, I designed a router-based intrusion detection system (IDS) that integrates network sensors into existing device nodes to detect distributed security issues, e.g. DoS attacks, portscans, SPAM activities and botnets. Adopted technology: Cisco IOS, SNMP, Linux, C.

• Conferences and Journals Reviewer: Journal of Computer Security (JCS), 7th IEEE Workshop on Network Measurements (WNM2013).
  
  
• Since April 2012, Research Scientist at Trend Micro Research
  I work for Trend Micro’s forward looking threat research (FTR) team as senior researcher. In my daily job, I try to bridge academia and industry, by keeping one leg into scientific research, publishing in peer-reviewed conferences, and the other into the needs of an industrial-driven environment, for example advising on internal innovative engineering projects. The team itself is responsible for researching malware and hacking threats, security of emerging technologies and user privacy, and designing solution to detect and mitigate them. We actively interface with universities, external research groups, law enforcement and CERTs for research and knowledge sharing, and we regularly attend both academic and hacking security conferences.


• 2011, Occasional Journal Writer for the Software Press's Hakin9 IT Security Megazine.


• 2008, Senior Security Engineer at Numara Software (ex Criston Software S.A.), Sophia-Antipolis (France).
  As security expert, I was responsible of researching, implementing and supporting the development of the a Vulnerability Management solution. I held the research and development of the security scanner and its vulnerability tests. During my stay, I replaced a strong portion of the existing code with the NMap Security Scanner solution that we licensed and adopted.


• Aug.2006 - July.2007, Security Researcher at Secunet Security Networks AG, Munich (Germany), largest information security service provider in Germany.
  Research and prototype implementation of a novel antivirus, which we integrated within a virtual machine framework (hypervisor) to make it tamper-proof resistant to malware running in the operating system. More information are included in my M.Sc. thesis above. Technology: C/C++/BASH, Linux, Qemu, VirtualBox.


• 2006, Security Consultant (freelancer) for Emaze Network S.p.A., Italian company that provides services and products in the Information Security field.
  Traditional security consulting services like: penetration testing, vulnerability assessment, computer forensics, system hardening, network and log analysis, architecture designing, compliance, training.


• 2004 - 2005, Security Consultant (freelancer) for Secure Network s.r.l., Information Security consultant group in Milan.
  Traditional security consulting services like: penetration testing, vulnerability assessment, computer forensics, system hardening, network and log analysis, architecture designing, compliance, training.

"Targeted Attacks Detection With SPuNge"
Marco Balduzzi, Vincenzo Ciangaglini, Robert McArdle
The 11th Annual Conference on Privacy, Security and Trust
PST 2013, Tarragona, Catalonia, July 10-12 2013
[ abstract, pdf ] Over the past several years there has been a noticeable rise in the number of reported targeted attacks, which are also commonly referred to as advanced persistent threats (APTs). This is seen by security experts as a landscape shift from a world dominated by widespread malware that infect indiscriminately, to a more selectively targeted approach with higher gain. One thing that is clear about targeted attacks is that they are difficult to detect, and not much research has been conducted so far in detecting these attacks. In this paper, we propose a novel system called SPuNge that processes threat information collected on the users' side to detect potential targeted attacks for further investigation. We use a combination of clustering and correlation techniques to identify groups of machines that share a similar behavior with respect to the malicious resources they access and the industry in which they operate (e.g., oil & gas). We evaluated our system against real data collected by an antivirus vendor from over 20 million customers installations worldwide. Our results show that our approach works well in practice and is helpful in assisting security analysts in cybercrime investigations.

"The Role of Phone Numbers in Understanding Cyber-Crime Schemes"
Andrei Costin, Jelena Isacenkova, Marco Balduzzi, Aurélien Francillon, Davide Balzarotti
The 11th Annual Conference on Privacy, Security and Trust
PST 2013, Tarragona, Catalonia, July 10-12 2013
[ to appear ]

"The role of phone numbers in understanding cyber-crime (technical report)"
Andrei Costin, Jelena Isacenkova, Marco Balduzzi, Aurélien Francillon, Davide Balzarotti
EURECOM Research Report RR-13-277, February 2013
[ abstract, pdf, bib ] Internet and telephones are part of everyone's modern life. Unfortunately, also several criminal activities rely on these technologies to reach their victims. While the use and importance of the network has been largely studied, previous work overlooked the role that phone numbers can play into understanding online threats. In this work we aim at determining if leveraging phone numbers analysis can improve our understanding of the underground markets, illegal computer activities, or cyber-crime in general. This knowledge could then be adopted by several defensive mechanisms, including blacklists or advanced spam heuristics. In our study we collected phone numbers from various public or private sources and we designed a framework for mining, analyzing, enriching and, finally, correlating phone numbers to malicious activities. Our results show that, in scam activities, phones numbers remain often more stable over time than email addresses. Finally, using a combination of graph analysis and geographical HLR lookup, we were able to identify recurrent cyber-criminal business models and to link together scam communities that spread over different countries.

"Web Application Security, Dagstuhl Seminar 12401 (conference report)"
Lieven Desmet, Martin Johns, Benjamin Livshits, Andrei Sabelfeld
Schloss Dagstuhl, 30/09/12 - 05/10/12
[ abstract, pdf, bib ] This report documents the program and the outcomes of Dagstuhl Seminar 12401 ``Web Application Security''. The seminar brought 44 web security researchers together, coming from companies and research institutions across Europe and the US. The seminar had a well-filled program, with 3 keynotes, 28 research talks, and 15 5-minute talks. As web application security is a broad research domain, a diverse set of recent research results was presented during the talks, covering the web security vulnerability landscape, information-flow control, JavaScript formalization, JavaScript confinement, and infrastructure and server hardening. In addition to the plenary program, the seminar also featured three parallel break-out sessions on Cross-Site Scripting (XSS), JavaScript and Information-flow control.

"A Security Analysis of Amazon's Elastic Compute Cloud Service"
Marco Balduzzi, Jonas Zaddach, Davide Balzarotti, Engin Kirda, Sergio Loureiro
The 11th Edition of the Computer Security track at the 27th ACM Symposium on Applied Computing
SAC@SAC 2012, Trento, Italy, March 26-30 2012
[ abstract, pdf, bib, press (forbes| infoWorld| ZDNet) ] Cloud services such as Amazon's Elastic Compute Cloud and IBM's SmartCloud are quickly changing the way organizations are dealing with IT infrastructures and are providing online services. Today, if an organization needs computing power, it can simply buy it online by instantiating a virtual server image on the cloud. Servers can be quickly launched and shut down via application programming interfaces, offering the user a greater flexibility compared to traditional server rooms. A popular approach in cloud-based services is to allow users to create and share virtual images with other users. In addition to these user-shared images, the cloud providers also often provide virtual images that have been pre-configured with popular software such as open source databases and web servers. This paper explores the general security risks associated with using virtual server images from the public catalogs of cloud service providers. In particular, we investigate in detail the security problems of public images that are available on the Amazon EC2 service. We describe the design and implementation of an automated system that we used to instantiate and analyze the security of public AMIs on the Amazon EC2 platform, and provide detailed descriptions of the security tests that we performed on each image. Our findings demonstrate that both the users and the providers of public AMIs may be vulnerable to security risks such as unauthorized access, malware infections, and loss of sensitive information. The Amazon Web Services Security Team has acknowledged our findings, and has already taken steps to properly address all the security risks we present in this paper.

"Reverse Social Engineering Attacks in Online Social Networks"
Danesh Irani, Marco Balduzzi, Davide Balzarotti, Engin Kirda, Calton Pu
Eighth Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2011, Amsterdam, The Netherlands, July 7-8 2011
[ abstract, pdf, bib, slides ] Social networks are some of the largest and fastest growing online services today. Facebook, for example, has been ranked as the second most visited site on the Internet, and has been reporting growth rates as high as 3% per week. One of the key features of social networks is the support they provide for finding new friends. For example, social network sites may try to automatically identify which users know each other in order to propose friendship recommendations. Clearly, most social network sites are critical with respect to user's security and privacy due to the large amount of information available on them, as well as their very large user base. Previous research has shown that users of online social networks tend to exhibit a higher degree of trust in friend requests and messages sent by other users. Even though the problem of unsolicited messages in social networks (i.e., spam) has already been studied in detail, to date, reverse social engineering attacks in social networks have not received any attention. In a reverse social engineering attack, the attacker does not initiate contact with the victim. Rather, the victim is tricked into contacting the attacker herself. As a result, a high degree of trust is established between the victim and the attacker as the victim is the entity that established the relationship. In this paper, we present the first user study on reverse social engineering attacks in social networks. That is, we discuss and show how attackers, in practice, can abuse some of the friend-finding features that online social networks provide with the aim of launching reverse social engineering attacks. Our results demonstrate that reverse social engineering attacks are feasible and effective in practice.

"Exposing the Lack of Privacy in File Hosting Services"
Nick Nikiforakis, Marco Balduzzi, Steven Van Acker, Wouter Joosen, Davide Balzarotti
4th Usenix Workshop on Large-Scale Exploits and Emergent Threats
LEET 2011, Boston, US, March 29 2011
[ abstract, pdf, bib, slides, press (the register| slashdot) ] File hosting services (FHSs) are used daily by thousands of people as a way of storing and sharing files. These services normally rely on a security-through-obscurity approach to enforce access control: For each uploaded file, the user is given a secret URI that she can share with other users of her choice. In this paper, we present a study of 100 file hosting services and we show that a significant percentage of them generate secret URIs in a predictable fashion, allowing attackers to enumerate their services and access their file list. Our experiments demonstrate how an attacker can access hundreds of thousands of files in a short period of time, and how this poses a very big risk for the privacy of FHS users. Using a novel approach, we also demonstrate that attackers are aware of these vulnerabilities and are already exploiting them to get access to other users' files. Finally we present SecureFS, a client-side protection mechanism which can protect a user's files when uploaded to insecure FHSs, even if the files end up in the possession of attackers.

"Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications" (Best Paper Award)
Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, Engin Kirda
18th Annual Network and Distributed System Security Symposium
NDSS 2011, San Diego, US, February 6-9 2011
[ abstract, pdf, bib ] In the last twenty years, web applications have grown from simple, static pages to complex, full-fledged dynamic applications. Typically, these applications are built using heterogeneous technologies and consist of code that runs both on the client and on the server. Even simple web applications today may accept and process hundreds of different HTTP parameters to be able to provide users with interactive services. While injection vulnerabilities such as SQL injection and cross-site scripting are well-known and have been intensively studied by the research community, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. If a web application does not properly sanitize the user input for parameter delimiters, exploiting an HPP vulnerability, an attacker can compromise the logic of the application to perform either client-side or server-side attacks. In this paper, we present the first automated approach for the discovery of HTTP Parameter Pollution vulnerabilities in web applications. Using our prototype implementation called PAPAS (PArameter Pollution Analysis System), we conducted a large-scale analysis of more than 5,000 popular websites. Our experimental results show that about 30% of the websites that we analyzed contain vulnerable parameters and that 46.8% of the vulnerabilities we discovered (i.e., 14% of the total websites) can be exploited via HPP attacks. The fact that PAPAS was able to find vulnerabilities in many high-profile, well-known websites suggests that many developers are not aware of the HPP problem. We informed a number of major websites about the vulnerabilities we identified, and our findings were confirmed.

"EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis"
Leyla Bilge, Engin Kirda, Christopher Kruegel, Marco Balduzzi
18th Annual Network and Distributed System Security Symposium
NDSS 2011, San Diego, US, February 6-9 2011
[ abstract, pdf, bib, slides ] The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way mapping between domain names and their numerical identifiers. Given its fundamental role, it is not surprising that a wide variety of malicious activities involve the domain name service in one way or another. For example, bots resolve DNS names to locate their command and control servers, and spam mails contain URLs that link to domains that resolve to scam servers. Thus, it seems beneficial to monitor the use of the DNS system for signs that indicate that a certain name is used as part of a malicious operation. In this paper, we introduce EXPOSURE, a system that employs large-scale, passive DNS analysis techniques to detect domains that are involved in malicious activity. We use 15 features that we extract from the DNS traffic that allow us to characterize different properties of DNS names and the ways that they are queried. Our experiments with a large, real-world data set consisting of 100 billion DNS requests, and a real-life deployment for two weeks in an ISP show that our approach is scalable and that we are able to automatically identify unknown malicious domains that are misused in a variety of malicious activity (such as for botnet command and control, spamming, and phishing).

"A Summary of Two Practical Attacks against Social Networks (invited paper)"
Leyla Bilge, Marco Balduzzi, Davide Balzarotti, Engin Kirda
21st Tyrrhenian Workshop on Digital Communications: Trustworthy Internet
Island of Ponza, Italy, September 6-8 2010
[ abstract, bib ] Social networking sites have been increasingly gaining popularity, and they have already changed the communication habits of hundred of millions of users. Unfortunately, this new technology can easily be misused to collect private information and violate the users’ privacy. In this chapter, we summarize two practical attacks we have presented in the past: an impersonation attack in which we automatically clone a user profile, and an attack that abuses the information provided by social networks to automatically correlate information extracted from different social networks. Our results show that these attacks are very successful in practice and that they can significantly impact the users’ privacy. Therefore, these attacks represent a first important step to raise awareness among users about the privacy and security risks involved in sharing information in one or more social networks.

"Abusing Social Networks for Automated User Profiling"
Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti and Christopher Kruegel
International Symposium on Recent Advances in Intrusion Detection
RAID 2010, Ottowa, Canada, September 15-17 2010
[ abstract, pdf, bib, slideshare ] Recently, social networks such as Facebook have experienced a huge surge in popularity. The amount of personal information stored on these sites calls for appropriate security precautions to protect this data. In this paper, we describe how we are able to take advantage of a common weakness, namely the fact that an attacker can query popular social networks for registered e-mail addresses on a large scale. Starting with a list of about 10.4 million email addresses, we were able to automatically identify more than 1.2 million user profiles associated with these addresses. By automatically crawling and correlating these profiles, we collect detailed personal information about each user, which we use for automated profiling (i.e., to enrich the information available from each user). Having access to such information would allow an attacker to launch sophisticated, targeted attacks, or to improve the efficiency of spam campaigns. We have contacted the most popular providers, who acknowledged the threat and are currently implementing our proposed countermeasures. Facebook and XING, in particular, have recently fixed the problem.

"Security by virtualization: A novel antivirus for personal computers"
Marco Balduzzi
VDM Verlag Dr. Müller e.K., ISBN 978-3-639-25624-6, Paperback, 104 pages, May 7 2010
[ description, book, bib, cover ] A sort of virtualization appeared four decades ago to perform multi-programming and simple time-sharing tasks inside a single mainframe. Virtualization became quickly the solution to limit cost and save money by server consolidation. Nowadays virtualization is a "hot topic" and it is habitually adopted in develop environments for testing and debugging purposes. This book presents a novel paradigm to secure personal computers. Virtualization is used to isolate the user system within a so-called security shell where multiple security services are configured to ensure the tamper resistance of the user's environment. While conventional personal antivirus can be switched off, manipulated, or avoided by sophisticated malignant codes and technically experienced users, this antivirus enforces a continuous protection of the user's environment from the security shell. The accesses to the file-system are real-time scanned and mobile/encrypted network connections are inspected. The whole system is finally protected by an encryption layer that inconspicuously encrypts the user system.

"Take a Deep Breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype"
Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico and Lorenzo Cavallaro
Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2010, Bonn, Germany, July 8-9 2010
[ abstract, pdf, bib, slides ] Skype is one of the most used P2P applications on the Internet: VoIP calls, instant messaging, SMS and other features are provided at a low cost to millions of users. Although Skype is a closed source application, an API allows developers to build custom plugins which interact over the Skype network, taking advantage of its reliability and capability to easily bypass firewalls and NAT devices. Since the protocol is completely undocumented, Skype traffic is particularly hard to analyze and to reverse engineer. We propose a novel botnet model that exploits an overlay network such as Skype to build a parasitic overlay, making it extremely difficult to track the botmaster and disrupt the botnet without damaging legitimate Skype users. While Skype is particularly valid for this purpose due to its abundance of features and its widespread installed base, our model is generically applicable to distributed applications that employ overlay networks to send direct messages between nodes (e.g., peer-to-peer software with messaging capabilities). We are convinced that similar botnet models are likely to appear into the wild in the near future and that the threats they pose should not be underestimated. Our contribution strives to provide the tools to correctly evaluate and understand the possible evolution and deployment of this phenomenon.

"A Solution for the Automated Detection of Clickjacking Attacks"
Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, Christopher Kruegel
5th ACM Symposium on Information, Computer and Communications Security
AsiaCCS 2010, Beijing, China, April 13-16 2010
[ abstract, pdf, bib ] Clickjacking is a web-based attack that has recently received a wide media coverage. In a clickjacking attack, a malicious page is constructed such that it tricks victims into clicking on an element of a different page that is only barely (or not at all) visible. By stealing the victim's clicks, an attacker could force the user to perform an unintended action that is advantageous for the attacker (e.g., initiate an online money transaction). Although clickjacking has been the subject of many discussions and alarming reports, it is currently unclear to what extent clickjacking is being used by attackers in the wild, and how significant the attack is for the security of Internet users. In this paper, we propose a novel solution for the automated and efficient detection of clickjacking attacks. We describe the system that we designed, implemented and deployed to analyze over a million unique web pages. The experiments show that our approach is feasible in practice. Also, the empirical study that we conducted on a large number of popular websites suggests that clickjacking has not yet been largely adopted by attackers on the Internet.

"Abusing Social Networks for Automated User Profiling (technical report)"
Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti, and Christopher Kruegel
EURECOM Research Report RR-10-233, March 3 2010
[ abstract, pdf, bib ] Recently, social networks such as Facebook have experienced a huge surge in popularity. The amount of personal information stored in these sites calls for appropriate security precautions to protect this data. In this paper, we describe how we are able to take advantage of a common weakness, namely the fact that an attacker can query the social network for registered e-mail addresses on a large scale. Starting with a list of about 10.4 million email addresses, we were able to automatically identify more than 1.2 million user profiles associated with these addresses. By crawling these profiles, we collect publicly available personal information about each user, which we use for automated profiling (i.e., to enrich the information available from each user). Finally, we propose a number of mitigation techniques to protect the user's privacy. We have contacted the most popular providers, who acknowledged the threat and are currently implementing our countermeasures. Facebook and XING in particular have recently fixed the problem.

Academic conferences:

• Schloss Dagstuhl, Web Application Security Seminar 2012, Saarbrucken, Germany
• DIMVA 2011, Amsterdam, NL
• NDSS 2011, San Diego, US
• RAID 2010, Ottawa, Canada
• AsiaCCS 2010, Beijing, China

Hacking conferences:

Cutting-edge research in system security, OWASP Italy Day 2012, Rome, Italy - 23/11/12 (invited talk)
[ slides]

SatanCloud: Un Viaje por los Riesgos a la Privacidad y Seguridad del Cloud Computing
- SECURITY-ZONE 2012, Cali, Colombia - 06/12/2012 (invited talk) [abstract]
- 8dot8 Computer Security Conference 2012, Santiago, Chile - 18/10/2012 2012 (invited talk) [abstract, press (El Mercurio)]

SatanCloud: A Journey Into the Privacy and Security Risks of Cloud Computing, HITB SecConf 2012, Amsterdam, Netherlands - 25/05/12
[ abstract, slides (slideshare) ]

A journey into the privacy and security risks of a cloud computing service, Black Hat Webcast Series, April 2012 - 19/04/12 (invited talk)
[ abstract, slides ]

Detección Automática de vulnerabilidades HPP en aplicaciones Web
- SECURITY-ZONE 2011, Cali, Colombia - 28-30/11/11 (invited talk) [ abstract ]
- 8dot8 Computer Security Conference, Santiago, Chile - 18/11/11 [ abstract, press (yahoo!) ]

Attacking the Privacy of Social Network Users, HITB SecConf 2011, Kuala Lumpur, Malaysia - 11-13/10/11
[ abstract, slides (slideshare), press ]

Automated Detection of HPP Vulnerabilities in Web Applications, Black Hat USA 2011, Las Vegas, NV - 04/08/11
[ abstract, slides v.03 ]

The (in)security of File Hosting Services, OWASP Netherlands Chapter Meeting, Amsterdam - 06/07/2011 (invited talk)
[ abstract, slides (pdf) ]

Emerging Attacks on Social Networks, FORTINET, Sophia-Antipolis - 30/06/2011 (invited talk)

HPP v.02, Black Hat Webcast Series, May 2011 - 25/05/11 (invited talk)
[ abstract + registration, slides v.02 ]

Building Large Scale Detectors for Web-based Malware (Cova, Canali), OWASP AppSec Europe 2011, Dublin, Ireland - 09/07/11
[ Conference Page, slides (pdf) ]

HTTP Parameter Pollution, Swiss Cyber Storm 2011, Rapperswil, Switzerland - 12/05/11
[ abstract ]

Security Info Session, SAP - 27/04/2011 (invited talk)

CSI Filter 3, Computer Security Institute - 07/04/11 (invited talk)
[ program ]

HTTP Parameter Pollution Vulnerabilities in Web Applications, Black Hat Europe 2011, Barcellona, Spain - 17/03/11
[ abstract, whitepaper, slides (pdf), slides (slideshare), press (forbes| la stampa) ]

Clickjacking, OWASP BeNeLux 2010, Eindhoven, Netherlands - 02/11/10 (invited talk)
[ pdf, odp, html ]

New Insights into Clickjacking, OWASP AppSec Research 2010, Stockholm, Sweden - 24/06/10
[ pdf, odp, html, slideshare ]

Security by Virtualization, Metro Olografix Hacking Party, Pescara, Italy - 19/05/07
[ pdf ]

Network multimedia with GNU/Linux, LinuxDay @ School by BgLUG, Val Seriana, Italy - 04/03/06
[ pdf sxi ]

Secure networking with GNU/Linux, LinuxDay 2005, Bergamo, Italy - 26/11/05
[ pdf sxi html recording-mp3 ]

Introduction to software development in the GNU/Linux environment (particular references to C language), Version 0.2, LinuxDay 2004, Bergamo, Italy - 27/11/04
[ pdf sxi html ]

Risks and insecurities of IT infrastructures, SatEXPO 2004, Vicenza, Italy - 30/09/04
[ pdf sxi html ]

Techniques for prevention, protection and identification of IT attacks, SatEXPO 2004, Vicenza, Italy - 30/09/04
[ pdf sxi html ]

Introduction to software development in the GNU/Linux environment (particular references to C language), MOCA 2004, Pescara, Italy - 21/05/04
[ pdf sxi html ]

Network programming with libpcap and libnet, Webb.it 2004, Padova, Italy - 06/05/04
[ pdf sxi html example-sources ]

Security analysis of routing protocols, Security Date 2004, Ancona, Italy - 29/04/04
[ pdf sxi html ]

Intrusion Detection Systems (IDS): state of art and research, HackMeeting 2004, Genova, Italy - 02/04/04
[ pdf html ]

Security of the GNU/Linux operating systems, Linuxday 2003, Bergamo, Italy - 29/11/03
[ pdf ]

Low-level network programming with libpcap and libnet, HackMeeting 2003, Torino, Italy - 20/06/03
[ pdf sxi html example-sources ]

Hakin9 Issue 7/2011 on Web App Security, HTTP Parameter Pollution Vulnerabilities in Web Applications, download Is your web application protected against HTTP Parameter Pollution? A new class of injection vulnerabilities allows attackers to compromise the logic of the application to perform client and server-side attacks. HPP can be detected and avoided. But how? This article discusses why and how applications may be vulnerable to HTTP Parameter Pollution. By analyzing different attacking scenarios, The authors of this article introduce the HPP problem. They describe PAPAS, the system for the detection of HPP flaws, and conclude by giving the different countermeasures that conscious web designers may adopt to deal with this novel class of injection vulnerabilities.
Hakin9 Issue Exploiting Software 1/2011, Smashing the Stack 1, download For decades hackers have discovered and exploited the most concealed programming bugs. But how is it possible to leverage a buffer overflow to compromise software in modern operating systems? Mariano and Marco will introduce us to the basic principles of code exploitation. We will see what happens when a process is executed or terminated, and how a buffer overflow vulnerability can be leveraged to execute malicious code.
Hakin9 Issue Exploiting Software 2/2011, Smashing the Stack 2, download Modern operating systems come with sophisticated protection mechanisms to prevent one-click exploitations. But, how can attackers bypass such techniques to compromise remote machines all over the world? And downloading PDF documents is always a safe practice? Mariano and Marco will describe the different protection mechanisms that have been introduced in modern operating system to make exploitation more difficult. They will aslo present several popular workarounds used by attacker to bypass such techniques. Finally, they will analyze a real exploit for a Acrobat Reader’s stack-based buffer overflow.

• Email. marco.balduzzi <put the at sign here> iseclab.org
• LinkedIn.
• Twitter. @embyte

Here you find a bunch of "old school" material that I have produced many years ago...

Codes

Nast Packet sniffer and LAN analyzer based on Libnet and Libpcap. It can sniff in normal or in promiscuous mode the packets on a network interface and log them. It dumps packets's header and payload in ascii or ascii-hex formats. You can apply a filter. The sniffed data can be saved in a separated file. As analyzer tool, it has many features like to build LAN hosts list, to follow a TCP-DATA stream, to find LAN internet gateways, to discover promiscuous nodes, to reset an established connection, to perform a single and multi half-open port-scan, to find link type, to catch daemon banner of LAN nodes, to control arp answers for discover possible arp-spoofs, to byte-count, to apply optional filters and to write report logs. [ homepage screenshots ]

Gspoof Tool that makes easier and accurate the building and the sending of TCP/IP packets. It works from console (command line) and it has an easy-to-use graphical interface written in GTK+ too. You can add a payload, send multiple packets specifying delay and number, enable explicit congestion notification support and much more. [ homepage screenshots ]

Vida A multi-datapipe handler, wrote in C with the ncurses library, for unix and unix-like OS. [ homepage ]

UmL Userspace logger that does not require r00t privileges. It works hijacking the libc functs, as described by halflife in "Shared Library Redirection" (Phrack 51). UmL logs read()/recv() output and intercepts open(), open64(), close(), socket(), connect(), exit(). There are many other important functions like recvfrom()/recvmsg(), fopen(), write(), etc... this code it's only a proof on concept ;-)

SS A simple stupid multi-server, very useless stuff :^) Written as training for script-kiddies, just a funny code :pP

IPGenerator An ip-listgenerator (/16 netmask) and an ip-parser for nmap -oG output.

The MCL suite: scanner, parser,translator to C-language and complier MCL language has been developed for the university project of "languages and compiler" (and the "M" stands for the initials of its developers!). MCL is a compact and syntactically clean language, for writing math expressions and procedures in simple and fast way. It supports functions, the while iteration, the if test, global and local variables, input and output, comments and other crazy features :-). The package contains a reference paper (in Italian), the parser (mcl.l) and the scanner (mcl.y), the scripts to build the translator to C-language and the compiler.

Linux VNC-4.1.1 evil client patch - BID 17978 Patch to exploit the VNC vulnerability 17978, which permits to log into the server with NULL authentication, although the password is required. Read my buqtraq post.

Papers

On the Influence of Free Software on Code Reuse in Software Development

How the virus Remote Shell Trojan (RST) works

Suggested related sites

Underground groups:

2600 The Hacker Quarterly: huge American Hacker movement.

Chaos Computer Club: famous German Hacker group that organizes periodically international meetings.

Phrack.org: a Hacker magazine by the community, for the community.

THC The Hacker's Choice: international group of experts that acts in the Information Security from 1995.

Softproject: Italian no-profit association involved in the Information Security. It publishes the BFi magazine.

Security resources:

BugTraq: full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them.

Packet Storm: no-profit organization comprised of security professionals that offers an abundant resource of up-to-date and historical security tools, exploits, and advisories.

Security Focus: international website that offers a huge database of advisories and exploits.

Linux related resources:

Linux (the kernel!): the Linux Kernel.

Linux kernel mailing lists: many public mailing lists for linux kernel developers.