• My Ph.D. thesis is online: Automated Measurements of Novel Internet Threats
• Forbes reports on our lates paper on the security of cloud computing.
• New publication: A Security Analysis of Amazon's Elastic Compute Cloud Service
• Our latest Hakin9 issues are online - Smashing the Stack 1 and 2
• Attacking the Privacy of Social Network Users is online - Cheers from Malaysia (HITB)

• Nov. 2008 - Dec. 2011, Ph.D. at EURECOM & TELECOM ParisTech, under the supervision of Prof. Engin Kirda.
  [ My Ph.D. thesis is titled Automated Measurements of Novel Internet Threats. Download the PDF here]
  
  
• Sept.-Dec. 2007, Internship at SAP Research, Security & Trust, Sophia-Antipolis (France).
  
  
• March 2007, M.Sc. in Computer Engineering at the University of Bergamo (Italy). Final grade of 110/110.
  Our work had as objective the definition of an innovative architecture for personal computers based on the virtualization paradigm, where the security services are deployed from the user OS into a tamper resistance layer for being them-self protected from illicit attacks. A MAC approach has been adopted to guarantee the protection of the system from attacks conduct with user OS's administration permission. Within this architecture, a novel Antivirus has been developed to intercept the raw disk-sector accesses and to conduct low-level virus analysis.
  [ My M.Sc. thesis is titled Security by Virtualization: a novel antivirus for personal computers - Italian presentation ]
  
  
• 2006, Internship in Security R&D at Secunet Security Networks AG, Munich (Germany)
  Research and prototype implementation of an antivirus framework based on virtualization. (QEMU, Linux, C++, Bash/Python).
  
  
• 2005, Exchange student at the Norwegian University of Science and Technology (NTNU) of Trondheim, Faculty of Computer Science and Telematics.
  
  
• July 2004, B.Sc. in Computer Engineering at the University of Bergamo.
  My thesis defines and extends the IDS taxonomy with a concept called "context-based". Standard taxonomy groups the IDSs into the host-based and network-based families depending from the source of information. A context-based IDS relies on the information that characterize the monitored host, and correlates them with the network traffic to reduce the amount of false positives (the primary reason of failure for current network-based IDS).
  [ My B.Sc. thesis is titled A new model of Intrusion Detection System: The Router-IDS - Italian presentation ]
  
  
• 2003, Internship in Security R&D at ICT Consulting S.p.A., Milano (Italy)
  Design and implementation of a novel model of Intrusion Detection System for Routers. (Cisco IOS, SNMP, Linux, C).
  
  

• Since April 2012, Senior Threat Researcher at Trend Micro Inc.
  I work for the Trend Micro’s Forward Looking Threat Research team (FTR) as senior researcher. The team is responsible for researching malware and hacking threats, emerging technology and new user behaviour in order to understand the current threat landscape and predict what the threat landscape will be in a short time. We interface with government agencies, law enforcement, ISPs, CERTs, universities and research groups for research and knowledge sharing, and we regularly attend the most groovy and influencing security conferences.
  
  
• 2011, Occasional Journal Writer for the Software Press's Hakin9 IT Security Megazine.
  
  
• 2008, Security Engineer at Criston Software S.A., Sophia-Antipolis (France).
  Responsible of researching, implementing and supporting the development of the Precision Vulnerability Scanner solution. In particular my contributions concerned the security scanner engine and the vulnerability tests.
  I headed the integration of the Nmap (Network Mapper) product to enhance the scanner's discovery-capabilities (host discovery, port scan, service and OS detection).
  
  
• Aug.2006-July.2007, Security Researcher for the German Information Security service provider Secunet Security Networks AG, Munich (Germany).
  Research and prototype implementation of a novel Antivirus, integrated within a Virtual Machine layer. See above my M.Sc. thesis. Technology: C/C++/BASH, Linux, Qemu.
  
  
• 2006, Security Consultant for Emaze Network S.p.A., Italian company that provides services and products in the Information Security field.
  Activities: penetration testing, vulnerability assessment, computer and network forensics, secure architecture review, log analysis.
  
  
• 2004-2005, Collaborator for the Dr. Stefano Zanero's Information Security consultant group Secure Network s.r.l. as experienced consultant and tutor for networking, security and Unix issues. Milan (Italy).
  
  

"A Security Analysis of Amazon's Elastic Compute Cloud Service"
Marco Balduzzi, Jonas Zaddach, Davide Balzarotti, Engin Kirda, Sergio Loureiro
The 11th edition of the Computer Security track at the 27th ACM Symposium on Applied Computing
SAC@SAC 2012, Trento, Italy, March 26-30 2012
[ abstract, pdf, press (forbes| infoWorld| ZDNet) ] Cloud services such as Amazon's Elastic Compute Cloud and IBM's SmartCloud are quickly changing the way organizations are dealing with IT infrastructures and are providing online services. Today, if an organization needs computing power, it can simply buy it online by instantiating a virtual server image on the cloud. Servers can be quickly launched and shut down via application programming interfaces, offering the user a greater flexibility compared to traditional server rooms. A popular approach in cloud-based services is to allow users to create and share virtual images with other users. In addition to these user-shared images, the cloud providers also often provide virtual images that have been pre-configured with popular software such as open source databases and web servers. This paper explores the general security risks associated with using virtual server images from the public catalogs of cloud service providers. In particular, we investigate in detail the security problems of public images that are available on the Amazon EC2 service. We describe the design and implementation of an automated system that we used to instantiate and analyze the security of public AMIs on the Amazon EC2 platform, and provide detailed descriptions of the security tests that we performed on each image. Our findings demonstrate that both the users and the providers of public AMIs may be vulnerable to security risks such as unauthorized access, malware infections, and loss of sensitive information. The Amazon Web Services Security Team has acknowledged our findings, and has already taken steps to properly address all the security risks we present in this paper.

"Reverse Social Engineering Attacks in Online Social Networks"
Danesh Irani, Marco Balduzzi, Davide Balzarotti, Engin Kirda, Calton Pu
Eighth Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2011, Amsterdam, The Netherlands, July 7-8 2011
[ abstract, pdf, bib, slides ] Social networks are some of the largest and fastest growing online services today. Facebook, for example, has been ranked as the second most visited site on the Internet, and has been reporting growth rates as high as 3% per week. One of the key features of social networks is the support they provide for finding new friends. For example, social network sites may try to automatically identify which users know each other in order to propose friendship recommendations. Clearly, most social network sites are critical with respect to user's security and privacy due to the large amount of information available on them, as well as their very large user base. Previous research has shown that users of online social networks tend to exhibit a higher degree of trust in friend requests and messages sent by other users. Even though the problem of unsolicited messages in social networks (i.e., spam) has already been studied in detail, to date, reverse social engineering attacks in social networks have not received any attention. In a reverse social engineering attack, the attacker does not initiate contact with the victim. Rather, the victim is tricked into contacting the attacker herself. As a result, a high degree of trust is established between the victim and the attacker as the victim is the entity that established the relationship. In this paper, we present the first user study on reverse social engineering attacks in social networks. That is, we discuss and show how attackers, in practice, can abuse some of the friend-finding features that online social networks provide with the aim of launching reverse social engineering attacks. Our results demonstrate that reverse social engineering attacks are feasible and effective in practice.

"Exposing the Lack of Privacy in File Hosting Services"
Nick Nikiforakis, Marco Balduzzi, Steven Van Acker, Wouter Joosen, Davide Balzarotti
4th Usenix Workshop on Large-Scale Exploits and Emergent Threats
LEET 2011, Boston, US, March 29 2011
[ abstract, pdf, bib, slides, press (the register| slashdot) ] File hosting services (FHSs) are used daily by thousands of people as a way of storing and sharing files. These services normally rely on a security-through-obscurity approach to enforce access control: For each uploaded file, the user is given a secret URI that she can share with other users of her choice. In this paper, we present a study of 100 file hosting services and we show that a significant percentage of them generate secret URIs in a predictable fashion, allowing attackers to enumerate their services and access their file list. Our experiments demonstrate how an attacker can access hundreds of thousands of files in a short period of time, and how this poses a very big risk for the privacy of FHS users. Using a novel approach, we also demonstrate that attackers are aware of these vulnerabilities and are already exploiting them to get access to other users' files. Finally we present SecureFS, a client-side protection mechanism which can protect a user's files when uploaded to insecure FHSs, even if the files end up in the possession of attackers.

"Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications" (Best Paper Award)
Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, Engin Kirda
18th Annual Network and Distributed System Security Symposium
NDSS 2011, San Diego, US, February 6-9 2011
[ abstract, pdf, bib ] In the last twenty years, web applications have grown from simple, static pages to complex, full-fledged dynamic applications. Typically, these applications are built using heterogeneous technologies and consist of code that runs both on the client and on the server. Even simple web applications today may accept and process hundreds of different HTTP parameters to be able to provide users with interactive services. While injection vulnerabilities such as SQL injection and cross-site scripting are well-known and have been intensively studied by the research community, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. If a web application does not properly sanitize the user input for parameter delimiters, exploiting an HPP vulnerability, an attacker can compromise the logic of the application to perform either client-side or server-side attacks. In this paper, we present the first automated approach for the discovery of HTTP Parameter Pollution vulnerabilities in web applications. Using our prototype implementation called PAPAS (PArameter Pollution Analysis System), we conducted a large-scale analysis of more than 5,000 popular websites. Our experimental results show that about 30% of the websites that we analyzed contain vulnerable parameters and that 46.8% of the vulnerabilities we discovered (i.e., 14% of the total websites) can be exploited via HPP attacks. The fact that PAPAS was able to find vulnerabilities in many high-profile, well-known websites suggests that many developers are not aware of the HPP problem. We informed a number of major websites about the vulnerabilities we identified, and our findings were confirmed.

"EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis"
Leyla Bilge, Engin Kirda, Christopher Kruegel, Marco Balduzzi
18th Annual Network and Distributed System Security Symposium
NDSS 2011, San Diego, US, February 6-9 2011
[ abstract, pdf, bib, slides ] The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way mapping between domain names and their numerical identifiers. Given its fundamental role, it is not surprising that a wide variety of malicious activities involve the domain name service in one way or another. For example, bots resolve DNS names to locate their command and control servers, and spam mails contain URLs that link to domains that resolve to scam servers. Thus, it seems beneficial to monitor the use of the DNS system for signs that indicate that a certain name is used as part of a malicious operation. In this paper, we introduce EXPOSURE, a system that employs large-scale, passive DNS analysis techniques to detect domains that are involved in malicious activity. We use 15 features that we extract from the DNS traffic that allow us to characterize different properties of DNS names and the ways that they are queried. Our experiments with a large, real-world data set consisting of 100 billion DNS requests, and a real-life deployment for two weeks in an ISP show that our approach is scalable and that we are able to automatically identify unknown malicious domains that are misused in a variety of malicious activity (such as for botnet command and control, spamming, and phishing).

"A Summary of Two Practical Attacks against Social Networks (invited paper)"
Leyla Bilge, Marco Balduzzi, Davide Balzarotti, Engin Kirda
21st Tyrrhenian Workshop on Digital Communications: Trustworthy Internet
Island of Ponza, Italy, September 6-8 2010
[ to appear ]

"Abusing Social Networks for Automated User Profiling"
Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti and Christopher Kruegel
International Symposium on Recent Advances in Intrusion Detection
RAID 2010, Ottowa, Canada, September 15-17 2010
[ abstract, pdf, bib, slideshare ] Recently, social networks such as Facebook have experienced a huge surge in popularity. The amount of personal information stored on these sites calls for appropriate security precautions to protect this data. In this paper, we describe how we are able to take advantage of a common weakness, namely the fact that an attacker can query popular social networks for registered e-mail addresses on a large scale. Starting with a list of about 10.4 million email addresses, we were able to automatically identify more than 1.2 million user profiles associated with these addresses. By automatically crawling and correlating these profiles, we collect detailed personal information about each user, which we use for automated profiling (i.e., to enrich the information available from each user). Having access to such information would allow an attacker to launch sophisticated, targeted attacks, or to improve the efficiency of spam campaigns. We have contacted the most popular providers, who acknowledged the threat and are currently implementing our proposed countermeasures. Facebook and XING, in particular, have recently fixed the problem.

"Security by virtualization: A novel antivirus for personal computers"
Marco Balduzzi
VDM Verlag Dr. Müller e.K., ISBN 978-3-639-25624-6, Paperback, 104 pages, May 7 2010
[ description, book, bib, cover ] A sort of virtualization appeared four decades ago to perform multi-programming and simple time-sharing tasks inside a single mainframe. Virtualization became quickly the solution to limit cost and save money by server consolidation. Nowadays virtualization is a "hot topic" and it is habitually adopted in develop environments for testing and debugging purposes. This book presents a novel paradigm to secure personal computers. Virtualization is used to isolate the user system within a so-called security shell where multiple security services are configured to ensure the tamper resistance of the user's environment. While conventional personal antivirus can be switched off, manipulated, or avoided by sophisticated malignant codes and technically experienced users, this antivirus enforces a continuous protection of the user's environment from the security shell. The accesses to the file-system are real-time scanned and mobile/encrypted network connections are inspected. The whole system is finally protected by an encryption layer that inconspicuously encrypts the user system.

"Take a Deep Breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype"
Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico and Lorenzo Cavallaro
Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2010, Bonn, Germany, July 8-9 2010
[ abstract, pdf, bib, slides ] Skype is one of the most used P2P applications on the Internet: VoIP calls, instant messaging, SMS and other features are provided at a low cost to millions of users. Although Skype is a closed source application, an API allows developers to build custom plugins which interact over the Skype network, taking advantage of its reliability and capability to easily bypass firewalls and NAT devices. Since the protocol is completely undocumented, Skype traffic is particularly hard to analyze and to reverse engineer. We propose a novel botnet model that exploits an overlay network such as Skype to build a parasitic overlay, making it extremely difficult to track the botmaster and disrupt the botnet without damaging legitimate Skype users. While Skype is particularly valid for this purpose due to its abundance of features and its widespread installed base, our model is generically applicable to distributed applications that employ overlay networks to send direct messages between nodes (e.g., peer-to-peer software with messaging capabilities). We are convinced that similar botnet models are likely to appear into the wild in the near future and that the threats they pose should not be underestimated. Our contribution strives to provide the tools to correctly evaluate and understand the possible evolution and deployment of this phenomenon.

"A Solution for the Automated Detection of Clickjacking Attacks"
Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, Christopher Kruegel
5th ACM Symposium on Information, Computer and Communications Security
AsiaCCS 2010, Beijing, China, April 13-16 2010
[ abstract, pdf, bib ] Clickjacking is a web-based attack that has recently received a wide media coverage. In a clickjacking attack, a malicious page is constructed such that it tricks victims into clicking on an element of a different page that is only barely (or not at all) visible. By stealing the victim's clicks, an attacker could force the user to perform an unintended action that is advantageous for the attacker (e.g., initiate an online money transaction). Although clickjacking has been the subject of many discussions and alarming reports, it is currently unclear to what extent clickjacking is being used by attackers in the wild, and how significant the attack is for the security of Internet users. In this paper, we propose a novel solution for the automated and efficient detection of clickjacking attacks. We describe the system that we designed, implemented and deployed to analyze over a million unique web pages. The experiments show that our approach is feasible in practice. Also, the empirical study that we conducted on a large number of popular websites suggests that clickjacking has not yet been largely adopted by attackers on the Internet.

"Abusing Social Networks for Automated User Profiling (technical report)"
Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti, and Christopher Kruegel
EURECOM Research Report RR-10-233, March 3 2010
[ abstract, pdf, bib ] Recently, social networks such as Facebook have experienced a huge surge in popularity. The amount of personal information stored in these sites calls for appropriate security precautions to protect this data. In this paper, we describe how we are able to take advantage of a common weakness, namely the fact that an attacker can query the social network for registered e-mail addresses on a large scale. Starting with a list of about 10.4 million email addresses, we were able to automatically identify more than 1.2 million user profiles associated with these addresses. By crawling these profiles, we collect publicly available personal information about each user, which we use for automated profiling (i.e., to enrich the information available from each user). Finally, we propose a number of mitigation techniques to protect the user's privacy. We have contacted the most popular providers, who acknowledged the threat and are currently implementing our countermeasures. Facebook and XING in particular have recently fixed the problem.

Academic conferences:

• Schloss Dagstuhl, Web Application Security Seminar 2012, Saarbrucken, Germany
• DIMVA 2011, Amsterdam, NL
• NDSS 2011, San Diego, US
• RAID 2010, Ottawa, Canada
• AsiaCCS 2010, Beijing, China

Hacking conferences:

Upcoming events:
- SECURITY-ZONE 2012, Cali, Colombia - 27/11/2012 (invited talk)
- 8dot8 Computer Security Conference 2012, Santiago, Chile - October 2012 (invited talk)

SatanCloud: A Journey Into the Privacy and Security Risks of Cloud Computing, HITB SecConf 2012, Amsterdam, Netherlands - 25/05/12
[ abstract ]

A journey into the privacy and security risks of a cloud computing service, Black Hat Webcast Series, April 2012 - 19/04/12 (invited talk)
[ abstract, slides ]

Detección Automática de vulnerabilidades HPP en aplicaciones Web
- SECURITY-ZONE 2011, Cali, Colombia - 28-30/11/11 (invited talk) [ abstract ]
- 8dot8 Computer Security Conference, Santiago, Chile - 18/11/11 [ abstract, press (yahoo!) ]

Attacking the Privacy of Social Network Users, HITB SecConf 2011, Kuala Lumpur, Malaysia - 11-13/10/11
[ abstract, slides (slideshare), press ]

Automated Detection of HPP Vulnerabilities in Web Applications, Black Hat USA 2011, Las Vegas, NV - 04/08/11
[ abstract, slides v.03 ]

The (in)security of File Hosting Services, OWASP Netherlands Chapter Meeting, Amsterdam - 06/07/2011 (invited talk)
[ abstract, slides (pdf) ]

Emerging Attacks on Social Networks, FORTINET, Sophia-Antipolis - 30/06/2011 (invited talk)

HPP v.02, Black Hat Webcast Series, May 2011 - 25/05/11 (invited talk)
[ abstract + registration, slides v.02 ]

Building Large Scale Detectors for Web-based Malware (Cova, Canali), OWASP AppSec Europe 2011, Dublin, Ireland - 09/07/11
[ Conference Page, slides (pdf) ]

HTTP Parameter Pollution, Swiss Cyber Storm 2011, Rapperswil, Switzerland - 12/05/11
[ abstract ]

Security Info Session, SAP - 27/04/2011 (invited talk)

CSI Filter 3, Computer Security Institute - 07/04/11 (invited talk)
[ program ]

HTTP Parameter Pollution Vulnerabilities in Web Applications, Black Hat Europe 2011, Barcellona, Spain - 17/03/11
[ abstract, whitepaper, slides (pdf), slides (slideshare), press (forbes| la stampa) ]

Clickjacking, OWASP BeNeLux 2010, Eindhoven, Netherlands - 02/11/10 (invited talk)
[ pdf, odp, html ]

New Insights into Clickjacking, OWASP AppSec Research 2010, Stockholm, Sweden - 24/06/10
[ pdf, odp, html, slideshare ]

Security by Virtualization, Metro Olografix Hacking Party, Pescara, Italy - 19/05/07
[ pdf ]

Network multimedia with GNU/Linux, LinuxDay @ School by BgLUG, Val Seriana, Italy - 04/03/06
[ pdf sxi ]

Secure networking with GNU/Linux, LinuxDay 2005, Bergamo, Italy - 26/11/05
[ pdf sxi html recording-mp3 ]

Introduction to software development in the GNU/Linux environment (particular references to C language), Version 0.2, LinuxDay 2004, Bergamo, Italy - 27/11/04
[ pdf sxi html ]

Risks and insecurities of IT infrastructures, SatEXPO 2004, Vicenza, Italy - 30/09/04
[ pdf sxi html ]

Techniques for prevention, protection and identification of IT attacks, SatEXPO 2004, Vicenza, Italy - 30/09/04
[ pdf sxi html ]

Introduction to software development in the GNU/Linux environment (particular references to C language), MOCA 2004, Pescara, Italy - 21/05/04
[ pdf sxi html ]

Network programming with libpcap and libnet, Webb.it 2004, Padova, Italy - 06/05/04
[ pdf sxi html example-sources ]

Security analysis of routing protocols, Security Date 2004, Ancona, Italy - 29/04/04
[ pdf sxi html ]

Intrusion Detection Systems (IDS): state of art and research, HackMeeting 2004, Genova, Italy - 02/04/04
[ pdf html ]

Security of the GNU/Linux operating systems, Linuxday 2003, Bergamo, Italy - 29/11/03
[ pdf ]

Low-level network programming with libpcap and libnet, HackMeeting 2003, Torino, Italy - 20/06/03
[ pdf sxi html example-sources ]

Hakin9 Issue 7/2011 on Web App Security, HTTP Parameter Pollution Vulnerabilities in Web Applications, download Is your web application protected against HTTP Parameter Pollution? A new class of injection vulnerabilities allows attackers to compromise the logic of the application to perform client and server-side attacks. HPP can be detected and avoided. But how? This article discusses why and how applications may be vulnerable to HTTP Parameter Pollution. By analyzing different attacking scenarios, The authors of this article introduce the HPP problem. They describe PAPAS, the system for the detection of HPP flaws, and conclude by giving the different countermeasures that conscious web designers may adopt to deal with this novel class of injection vulnerabilities.
Hakin9 Issue Exploiting Software 1/2011, Smashing the Stack 1, download For decades hackers have discovered and exploited the most concealed programming bugs. But how is it possible to leverage a buffer overflow to compromise software in modern operating systems? Mariano and Marco will introduce us to the basic principles of code exploitation. We will see what happens when a process is executed or terminated, and how a buffer overflow vulnerability can be leveraged to execute malicious code.
Hakin9 Issue Exploiting Software 2/2011, Smashing the Stack 2, download Modern operating systems come with sophisticated protection mechanisms to prevent one-click exploitations. But, how can attackers bypass such techniques to compromise remote machines all over the world? And downloading PDF documents is always a safe practice? Mariano and Marco will describe the different protection mechanisms that have been introduced in modern operating system to make exploitation more difficult. They will aslo present several popular workarounds used by attacker to bypass such techniques. Finally, they will analyze a real exploit for a Acrobat Reader’s stack-based buffer overflow.

• Email. marco.balduzzi <put the at sign here> iseclab.org
• LinkedIn.
• Twitter. @embyte

Here you find a bunch of "old school" material that I have produced many years ago...

Codes

Nast Packet sniffer and LAN analyzer based on Libnet and Libpcap. It can sniff in normal or in promiscuous mode the packets on a network interface and log them. It dumps packets's header and payload in ascii or ascii-hex formats. You can apply a filter. The sniffed data can be saved in a separated file. As analyzer tool, it has many features like to build LAN hosts list, to follow a TCP-DATA stream, to find LAN internet gateways, to discover promiscuous nodes, to reset an established connection, to perform a single and multi half-open port-scan, to find link type, to catch daemon banner of LAN nodes, to control arp answers for discover possible arp-spoofs, to byte-count, to apply optional filters and to write report logs. [ homepage screenshots ]

Gspoof Tool that makes easier and accurate the building and the sending of TCP/IP packets. It works from console (command line) and it has an easy-to-use graphical interface written in GTK+ too. You can add a payload, send multiple packets specifying delay and number, enable explicit congestion notification support and much more. [ homepage screenshots ]

Vida A multi-datapipe handler, wrote in C with the ncurses library, for unix and unix-like OS. [ homepage ]

UmL Userspace logger that does not require r00t privileges. It works hijacking the libc functs, as described by halflife in "Shared Library Redirection" (Phrack 51). UmL logs read()/recv() output and intercepts open(), open64(), close(), socket(), connect(), exit(). There are many other important functions like recvfrom()/recvmsg(), fopen(), write(), etc... this code it's only a proof on concept ;-)

SS A simple stupid multi-server, very useless stuff :^) Written as training for script-kiddies, just a funny code :pP

IPGenerator An ip-listgenerator (/16 netmask) and an ip-parser for nmap -oG output.

The MCL suite: scanner, parser,translator to C-language and complier MCL language has been developed for the university project of "languages and compiler" (and the "M" stands for the initials of its developers!). MCL is a compact and syntactically clean language, for writing math expressions and procedures in simple and fast way. It supports functions, the while iteration, the if test, global and local variables, input and output, comments and other crazy features :-). The package contains a reference paper (in Italian), the parser (mcl.l) and the scanner (mcl.y), the scripts to build the translator to C-language and the compiler.

Linux VNC-4.1.1 evil client patch - BID 17978 Patch to exploit the VNC vulnerability 17978, which permits to log into the server with NULL authentication, although the password is required. Read my buqtraq post.

Papers

On the Influence of Free Software on Code Reuse in Software Development

How the virus Remote Shell Trojan (RST) works

Suggested related sites

Underground groups:

2600 The Hacker Quarterly: huge American Hacker movement.

Chaos Computer Club: famous German Hacker group that organizes periodically international meetings.

Phrack.org: a Hacker magazine by the community, for the community.

THC The Hacker's Choice: international group of experts that acts in the Information Security from 1995.

Softproject: Italian no-profit association involved in the Information Security. It publishes the BFi magazine.

Security resources:

BugTraq: full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them.

Packet Storm: no-profit organization comprised of security professionals that offers an abundant resource of up-to-date and historical security tools, exploits, and advisories.

Security Focus: international website that offers a huge database of advisories and exploits.

Linux related resources:

Linux (the kernel!): the Linux Kernel.

Linux kernel mailing lists: many public mailing lists for linux kernel developers.