Another day, another fake page.  PandaLabs, according to networkworld.com, has announced the existence of a doppelganger Facebook page that’s designed to steal your Facebook username and passwords.

…when web users try to log-in to their account, they will be presented with an error page.  However, the information they did attempt to enter will go straight into the hands of the hackers.

Why is this a serious security issue?

Because it allows the would-be hackers to gain access to your account.  It doesn’t sound a like a lot, but getting a base number of potential victims is the first step towards a successful hack.

For example, if you’ve got 200 friends in Facebook, the hackers could spam them as well, and get them to give their FB passwords.  If each of them also have 200 friends, then a maximum of 40,000 people’s passwords have been collected.

Then, the hackers post message on their victims’ walls, directing others to a site that will automatically download a trojan into computers.  Now you’ve got  a situation where 40,000 or more people have an infected computer–which may return to hackers usernames and passwords to on-line bank accounts.

Could you earn a comfortable living from an adult web site and still sleep well at night knowing where your money is coming from?

(polls)

“Well, why not?”

For me, this blog is shaping up to be something kinda special. It’s my first registered domain name and first experience (aside of some black hat mess) in making a productive interesting web page. I recently started to put together another website… an adult web site… ultimately, it just felt wrong… it’s not for me and being a Christian, how could I feed my kids with any money from it? How could I tithe with that money? Being strapped for cash is one thing. But I can’t loose all grip on my morals…

Let’s not get so caught up in our busy money making life that we forget who put us here. I’m already a bartender, serving people alcohol every day. As for my fellow Christians out there, please pray for me. That I may continue to hold my morals and values as high as possible.

According to ZDNet UK, the Russian Business Network bribed local police.

The RBN, if you’re not familiar, is a criminal, virtual ISP.  They’re the guys who provide the infrastructure to blackhat hackers an on-line pedophiles.  Because they’re virtual (they supposedly use hacked servers to provide this infrastructure), they’ve never been caught.  And, even if someone manages to shut them down, they spring up somewhere else.

If ZDnet’s reporting is correct, now we can see why RBN was so successful in evading capture.  There’s no reason to doubt the reporting, though, seeing how it’s the Serious Organised Crime Agency (SOCA) directly experienced the results of the palm-greasing.

SOCA found that local police kept hindering their investigation.

Hm.  Maybe blackhats are born, not bred.  A whitehat-turned-blackhat hacker identified himself to Kaspersky labs.

The Kaspersky team looked into an AV (antivirus) tracker website–catering to malware writers–as well as a spy program it was spreading around.  The team was contacted by the owner of the dubious site.  He revealed his identity in his e-mail, and demanded €2,000 as renumeration…god knows for what.

Kaspersky did their research on the guy (not just relying on the e-mail) and handed the results of their investigations to its lawyer.

I’m no hacker, but it seems that rule #1 of being a blackhat should be similar to rule #1 of Fight Club: You do not talk about it.

Hacking with Gum got their hands on one of the persistence of vision display fans that Cenzic was giving away at Blackhat this year. It’s not the biggest fan-based POV display we’ve seen but it’s still a fun device to tinker with. They hacked into the EEPROM on the device in order to change the message the fan displayed.

This is very similar to the other EEPROM reading/writing we’ve seen recently. Hacking with Gum read the data off of the EEPROM and then disassembled it to discover how the message data is stored on the chip. This was made easier by noting the messages displayed when the fan is running. The first byte of data shows the number of words in the message, then each chunk of word data is preceded by one byte that represents the number of letters in that work. Data length was calculated based on the number of pixels in each display character. Once he knew the data-storage scheme, it was just a matter of formatting his own messages in the same way and overwriting the chip.

This is a great write-up if you’re looking for a primer on reverse engineering an unknown hardware system. If you had fun trying out our barcode challenges perhaps deciphering EEPROM data from a simple device should be your next quest.

[Thanks James]

Dopo alcuni mesi (Moxie Marlinspike e Dan Kaminsky, Defcon e Blackhat) si riparla di una vulnerabilità alle implementazioni SSL (API crittografiche) che, di fatto, prestano il fianco ad un attacco di tipo man in the middle nonchè a tecniche di phishing.

Perchè se ne riparla dopo poco più di due mesi? E’ proprio di questi giorni la pubblicazione di un certificato (e chiave privata) attribuito a PayPal carpita proprio grazie alla vulnerabilità descritta da Moxie Marlinspike al BlackHat USA nel luglio di quest’anno (vedi video dell’intervento al defcon 17).

Frutto di tecniche di parsing datate e usate nelle librerie crittografiche dei client che implementano e usano lo strato SSL (per cui non solo browser web ma anche client di posta, instant messaging, client irc,VPN SSL, etc) e di tool appositi (sslsniff).

In particolare, questa vulnerabilità sfrutta la struttura del certificato X.509 del certificato e le informazioni in esso contenute usandole a proprio piacimento in quel procedimento di validazione a cascata della fiducia.

La catena di fiducia tra il sito interessato e la Certification Authority (CA) funziona come descritto sotto

Root CA -> Intermediate CA -> Intermediate CA -> .. -> Intermediate CA -> esempio.com

Cosa dovrebbe avvenire:

1. verifica che il nome del nodo foglia è lo stesso del sito a cui ci si sta collegando
2. verifica che il certificato è valido, non è scaduto, revocato, etc
3. Controllo della firma (signature)
4. Se tale firma della CA appartiene alla nostra lista di una Root CA trusted il processo di conclude positivamente altrimenti si ripetono nuovamente gli step dopo aver risalito la catena di un livello.

Questo è lo scenario incriminato:

Root CA -> Intermediate CA -> Intermediate CA -> .. ->Intermediate CA -> sitomalevolo.com -> esempio.com

Purtroppo, questo scenario, nelle condizioni di vulnerabilità indicate nel paper di Marlinspike al Blackhat di Las Vegas, sembra essere del tutto lecito: le firme sono validate, i certificati non sono scaduti/revocati, il procedimento indicato di verifica si conclude con una Root CA trusted “embedded” incorporata nel browser.

Questo significa però che abbiamo costruito un certificato VALIDO per esempio.com ma che in nessun modo rappresentiamo in quanto siamo legati a sitomalevolo.com

Affinchè questo funzioni, viene sfruttata la debolezza di una codifica del CN (Common Name) Subject del PKCS #10 in cui il campo (stringa) viene “chiuso” da un particolare valore null ().

Quando viene effettuato il controllo 1), in questo scenario vengono confrontate due stringhe di lunghezza potenzialmente diversa.

Tenendo conto che la stringa si conclude con il carattere , il parsing considera solamente i primi n caratteri fino al valore null ().

Quindi se in un certificato X509 è specificato di essere www.esempio.comsitomalevolo.com le verifiche vengono effettate sulla precedente stringa (fino al campo ) e l’indirizzo a cui vogliamo collegarci (www.esempio.com).
A questo punto si hanno tutti gli elementi per effettuare un MITM che generi il certificato apposito e si interponga trasparentemente tra le parti (molte CA rilasciano dei certificati se il richiedente è l’owner specificato DOPO il valore null).

Per quanto riguarda Mozilla, i security advisor riportano di avere chiuso la falla a partire dalla versione di firefox 3.5 e 3.0.13 (vedi variante attacco su 3.0.11 vulnerabile), Thunderbird dalla 2.0.0.23, SeaMonkey dalla 1.1.18 e NSS dalla 3.12.3

Al momento sembra che le crypto API di windows siano vulnerabili.

Ci sono ripercussioni e impatti anche nel campo delle applicazioni mobile.

PayPal ha nel frattempo sospeso l’account di Moxie Marlinspike.

Raccomandazioni: massima attenzione sulle transazioni in https e scrivere manualmente il link sul browser (possibilmente firefox, aggiornato) e mai fidarsi di link specialmente contenute in messaggi di posta elettronica.

_______
Taccuino

I finally got myself to write a new post. It’s not going to be much, but I have to write something so that I can do some research . Isn’t this fun?

Anyway (or anyways if u’re an american teenager), I found this really cool place: http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html. And no, this is not spam (how could it be, it’s my own post on my own blog??) There are some pretty amazing things that can be done these days, right? What I found most interesting was the ring -3 rootkit article. My only question now is “How low can we go?”

Good Afternoon Everybody,

The all important first search engine result page (SERP) on Google and the subsequent value of SEO seem to be running

Google Logo

a lot of web marketing ideas these days. Well, I am a web marketer. I am interested in SEO, but more important to me is the value and experience for the user. Does it matter how many SERs you have per page if none of these visitors to those results will end up customers?

I have been thinking a lot about this subject lately and I have come to the conclusion that SEO efforts that write for/attempt to market to search engines is just ridiculous. It leads us as marketers to black hat tactics and ultimately to experiences that the consumer does not enjoy. By Black Hat, I mean using trickery or unethical means of beating organic SERPs. Strategies like link farms, stealing or duplicating content, creating unmanned or spam social sites. For a list of tons more black hat (bad and stupid) ideas visit Beanstalk.

It seems to me that all of the big search engines: Google, Bing and Yahoo are moving to algorithms that lend more and more credibility to user activity whether that be direct voting or off-site promotion of the content. So, you want a strategy that will get you a higher search engine result and one that will get readers more interested in you and your products. Here’s one for ya: create interesting, unique content on a consistent basis. If you do this readers will want to read and share and link to it. The bots will pick up on that activity and your new keyword strength and reward you accordingly.

Oh, and just to show that I am not the only one with this mindset. Check out this quote from Google’s Webmaster Guidelines:

-The basic common sense principle would be NOT to utilize anything that you would not implement if the search engines didn’t exist, or in short:
“Make pages for users, not for search engines.”

So go out and create great content and get users to share it for you. What are some of your most successful SEO tactics. Check out the Big 16 rules for SMO tactics on the Online Marketing Blog.

Best of luck,

Will Flavell

Søgemaskineoptimering er en vigtig ting nu til dags, for online-marketing, og det betyder at der er kamp om de bedste placeringer, på Google. Brugere bliver ved med at opdage nye kneb, og styrker derfor Deres venskab, med Google-robotten.. de fleste i hvert fald!

SEO er ikke ufarligt for dig og din hjemmeside

Deres findes ”ulovlige” metoder at bringe sig op på Google med. En af metoderne er lave usynlig tekst (baggrund og tekst har samme farve) og derved kan man få en masse ekstra ord ind i sine tekster. Et eksempel kan ses på Cats-Cats.dk.

Big Mouth Media er et firma som markedsfører sig med alt indenfor SEO og e-marketing. Google har lige taget dem i at gøre ulovlig handlinger indenfor søgemaskineoptimering. De har haft små 60×60px ”bokse” på deres hjemmeside som indeholdte over 13.000 ord. Som straf blev de smidt ud af google-indekset, i uvis tid.

Når man markedsfører sig med ulovlige metoder, så kaldes det BlackHatSEO. Det er typisk professionelle SEO-ansatte som udnytter sig af dette, da de har bedre kendskab til det. Der diskuteres meget på dette område, om det overhovedet er ulovligt, men hvis Google ikke tillader det, så må man rette sig efter det. Her kan du læse mere om BlackhatSEO.

I’ll call the moment: the cyber security field is now past its giddy buzzword peak.

Gartner is well known for preparing “hype cycle” analysis of technology sectors, as in their recent publication of the 2009 “Hype Cycle for Social Software.” That report got a lot of attention on Twitter and in blogs, naturally; social medians are nothing if not self-reflective regarding their community. I thought an interesting take was by an IBM developer, who compared the 2008 version against the new one, measuring the changes in predicted “time to maturity” for individual technologies, and thereby coming up with something like a measure of acceleration. By that measure, individual blogging and social search made the most rapid gains.

But I notice something missing on the full list of 79 Gartner hype cycle reports: there’s not one about “cyber security.”

To the left you can see their uber-cycle, the latest chart of all “Emerging Technologies.” Among the dozens of “technology, topic and industry areas” across all their charts, the closest thing to covering the “cyber” world is the Data and Application Security Hype Cycle, which lists no fewer than 21 contributing analysts but still can’t see fit to reflect the broadest reaches of internet security. Its abstract alludes to Internet security, but makes clear that its focus is on several specific (not to say narrow) technical approaches:

Enterprise boundaries continue to blur as data is shared across the Internet between partner organizations and unmanaged endpoints, increasing concerns about data leakage and manipulation. This is encouraging greater use of application layer and data layer security controls.

Now, those topics are of course related to information security and assurance, and yet they don’t approach the overall breadth of the tangled spaghetti of technical, policy, and political issues that make up the messy cyber-security realm.

This week I expected to get a snapshot of where that messy realm stands, by attending the “National Cyber Leap Year Summit” in Arlington, Virginia. It was a joint DoD-White House production, by invitation only, and sponsored by the White House’s Office of Science and Technology Policy (OSTP), and the Office of the Assistant Secretary of Defense for Networks and Information Integration (NII).

They wisely used as an organizational umbrella the Federal Networking and Information Technology Research and Development (NITRD) Program, the quiet but important organizing construct for federal R&D. NITRD describes itself as

the primary mechanism by which the Government coordinates its unclassified networking and information technology (IT) research and development (R&D) investments. Thirteen Federal agencies, including all of the large science and technology agencies, are formal members of the NITRD Program, whose combined 2007 IT R&D budgets totaled more than $3 billion.”

Member agencies include DARPA, DOE and the National Labs, NASA, NIH, NIST, EPA, NARA, AHRQ, NOAA, NSA, NSF, OSD, and the DOD Research Labs. All of those groups were represented at the Cyber Leap Year Summit this week – along with a panoply of top names from corporate and academic security work and research – you name ‘em, they were represented.

And yet I came away slightly disappointed – not with the effort by the event’s organizers, but with the outcome. The premise of the session was to provide “leap-ahead, game-changing” ideas and proposals. Some were indeed offered in sessions, kicked around, and debated, dismissed, or set aside for further exploration. There were five tracks in the conference:

Each track wound up having valuable brainstorming sessions, with some innovative ideas and approaches generated, all of which are now being captured in a wiki.  (Participants were provided with password access to the wiki; if it is opened to broader access I will update this post with a link.)

I mostly attended the Cyber Economics sessions, which had the closest relevance to government policies as far as I could tell.  Our ideas ranged from innovative ways to raise the economic costs to bad guys on the Internet, to establishing something like a “cyber NTSB,” which would mirror its Transportation Safety counterpart in collecting, analyzing, and reporting out data on cyber attacks and information-security incidents. Good ideas, but nothing game-changing on its face.

I stuck my head into the other groups from time to time as well, and listened closely at the wrap-up “mix ‘n’ match” discussions at yesterday’s final sessions, hoping to hear a breakthrough idea.  I’ll admit, I personally had none to contribute – cyber security is not my native field of expertise though I do my best. But unless I’m mistaken, no one else had a true “game-changing” breakthrough either.  Overall there was a sense of “heard it all before” quietly sitting like a ground-hugging fog in the conference rooms.

Now, that’s not necessarily dire; this is tough stuff and you can’t expect a single conference, even with the biggest brains in attendance, to produce elegantly brilliant policy and technical solutions to enormous challenges of long standing. But it indicates to me that the publicly-discussed field of cyber security is echoing certain stages on the Gartner Hype Cycle.

Down in the Valley

That cycle charts “Expectations” against a Time axis in the life of technologies or industries. Over the past couple of years, I would say that Cyber security has ramped quickly up the “Inflated Expectations” hype curve. I’d argue that it approached its “Peak of Inflated Expectations” the moment that presidential candidate Barack Obama pledged on the campaign trail that “I’ll declare our cyber-infrastructure a strategic asset and appoint a National Cyber Adviser who will report directly to me.”

How’s that promise coming along? Not well.  The inflated expectations crested the moment Melissa Hathaway published the much anticipated, now nearly forgotten, 60-Day Cyberspace Policy Review. You can see my previous pieces on the Cyber Czar debacle, read an adamant op-ed in this week’s Business Week titled “The U.S. Needs a Cybersecurity Czar Now,” or read one of DC’s keenest political observers, The Atlantic’s Marc Ambinder, who now believes that the leadership vacuum is increasing “jitters about whether the Obama administration is devoting enough bandwidth to the issue.” Marc’s piece (“On Cyber, Homeland Security Isn’t Waiting“) argues that DHS is picking up the baton in the vacuum, but many of the folks I know up at Ft. Meade scoff at that, and are quietly quietly burrowing away at the bureaucratic-politics game themselves.

There’s a lot of effort going on to secure things all right – things like bureaucratic turf, budget billions, and presidential face-time.

Per Gartner’s paradigm, cyber security as an issue is heading straight down into the “Trough of Disillusionment.”  That’s not an indictment of those working in the field. Indeed, in Gartner’s methodology, to be successful, technologies almost inevitably follow a path ”from overenthusiasm through a period of disillusionment to an eventual understanding of the technology’s relevance and role in a market or domain.”

The Slow Climb to Enlightenment

So what is to be done, down here in the valley? Well, I’d argue that technologists just ignore the politics and the Time-magazine covers and the frenzied Twitter chronicles of who’s in and who’s out.  I’ll try to avoid that stuff as well, as a prime offender (no promises), and do a fair job of tracking the technical progress of promising research.

To that end, I’ll end with a nod to a cool Microsoft Research project being unveiled this week at the SIGCOMM 2009 conference in Spain: “De-Anonymizing the Internet Using Unreliable IDs.”  Researchers Yinglian Xie, Fang Yu, and Martin Abadi have just published a great paper (available in PDF here) detailing their “Host Tracker” work aimed at malicious traffic which cannot typically be “held accountable” in today’s open, anonymous Internet of free traffic from any host.  “HostTracker tracks dynamic bindings between hosts and IP addresses by leveraging application-level data with unreliable IDs.”

As the early coverage in Technology Review  puts it, Internet anonymity can be both a blessing and a curse, because “the same technologies allow cybercriminals to hide their tracks and pass off malicious code and spam for legitimate communications.” TR goes on in their assessment:

[HostTracker represents] a way to remove the shield of anonymity from such shadowy attackers. Using a new software tool, the three computer scientists were able to identify the machines responsible for malicious activity, even when the host’s IP address changed frequently. “What we are really trying to get at is the host responsible for an attack,” said Yinglian Xie, a member of the Microsoft team. “We are not trying to track those identifiers but associate them with a particular host.”

The prototype system, dubbed HostTracker, could result in better defenses against online attacks and spam campaigns. Security firms could, for example, build a better picture of which Internet hosts should be blocked from sending traffic to their clients, and cybercriminals would have a harder time camouflaging their activities as legitimate traffic. - Technology Review

HostTracker is squarely aimed at several of the questions across the five-track sections in the Cyber Leap Year Summit, including the “Digital Provenance” and “Moving-Target Defense” areas.  If it’s successful, it could begin to chip away at the economics of cyber attacks as well – at least until the attackers’ next innovation, which will drive the cycle of good-guy research again.

Hmm – a cycle. Gartner, get to work!

Email this post to a friend

Avoid the following things which can get you in trouble with
search engines:

-Don’t use hidden text or hidden links.
-Don’t employ cloaking or lightning fast java redirects.
-Don’t load up your pages with irrelevant words.
-Don’t create multiple pages, subdomains, or domains
with substantially duplicate content.

Are you ready for some more rather advanced stuff? Hang on.

Avoid the following things which can get you in trouble with
search engines:

-Don’t use hidden text or hidden links.
-Don’t employ cloaking or lightning fast java redirects.
-Don’t load up your pages with irrelevant words.
-Don’t create multiple pages, subdomains, or domains
with substantially duplicate content.

Are you ready for some more rather advanced stuff? Hang on.

Last week and through the weekend I was in Las Vegas for this year’s annual block of hacker conferences, BlackHat USA and DEFCON.  This year was a bit different for me as my employer no longer covers conference expenses (even if you’re speaking!), so since I was there not representing a company and entirely on my own dime, I stayed with some local friends for the first half of my stay and did a lot less gambling… none actually.  My gracious hosts did a lot of ferrying me around for the first half of my stay as well to help me avoid cab fares.

One of the highlights of BlackHat was obviously the Pwnie Awards.  This industry awards ceremony, highlighting the successes and failures of the security industry of the past year, has quickly become one of my favorite parts of BlackHat.  If you’re interested, you can find this year’s nominees and winners listed over at the Pwnie Awards website.  The impromptu dinner afterward was very enjoyable as well, where I shared a meal with the likes of the lovely Shyama Rose, that beef-hunk (nsfw) Alex Sotirov, Pusscat, who needs no introduction, the code machine I call a boss, HD Moore, some d00d from Rhode Island, slow, and a slew of other interesting and intelligent people.

I didn’t make it to many parties this year, but one of the few BlackHat parties that I did make it to was the Microsoft party over at Treasure Island.  An awesome mix of people made for some good conversations, but the music indoors was horrible…  The DJ was playing all kinds of early-90’s tunes like Bel Biv Devoe, Boys II Men, etc. Outside the music was much better (house!) except that the DJ kept having to stop the music for any number of reasons, the longest of which being the Pirate show going off just outside the balcony on the waterfront between the club and the street.

Overall BlackHat was a fairly enjoyable experience.  I would have liked to have seen more of the presentations but due to an extremely late night Wednesday night culminating in my friend locking himself out of his hotel suite, soaking wet, in his boxers, I ended up sleeping late on Thursday and then attempted to get over to DEFCON early to get registered and get one of the electronic badges to play with.  You can however read my thoughts on the various presentations I did see below:

Practical Windows XP/2003 Heap Exploitation – John McDonald, Chris Valasek

This was probably the most technically interesting talk that I attended at BlackHat.  The few times I’ve had to exploit something via the heap in the past, it was always a pain-in-the-ass, inexact science involving sprays and hoping that call instruction ends up in the right place.  This talk however was about none of that.  It was about exploitation using the heap and it’s structure itself, and attempting to not leave the heap in a corrupted state (or at least a corrupted state that it was aware of).  John and Chris did an excellent job of describing the heap and it’s internal layout and structure to those of us in the audience that weren’t all that familiar with it, such as the heap free bitmap.  They also covered how the heap is managed and the various algorithms used to do so.  They then covered the existing heap security mechanisms and how those worked, such as heap cookies, safe un-linking checks, and process termination when something is noticed to be awry.  Following all of this groundwork to bring the audience up to speed they briefly touched on existing exploitation techniques such as overwriting the look-aside list, bitmap flipping attacks, and faking a populated list.  Finally they got into the meat of their presentation, the new exploitation tactics that they had developed.  These included a bitmap XOR attack and a couple of new tricks using the look-aside list, but the really interesting one was leveraging a 1 byte overflow to de-sync the heap cache and create a “shadow” free list which is used when allocation is requested for specific sizes.  This allowed the return of the same memory address every time that an allocation for these specific sizes was made, which is really, really cool.  Finally they listed some of the tools that they use when working in this space and performed a demo.  The impression I was left with was that to accomplish exploitation this way was a LOT of work, but I guess when you really, really need to exploit that vulnerability and all you have to work with is the heap, it is possible (:

Sniff Keystrokes With Lasers/Voltmeters Side Channel Attacks Using Optical Sampling of Mechanical Energy and Power Line Leakage – Andrea Barisani, Daniele Bianco

Neither of these attacks are anything new; I’ve read papers detailing both of these attacks before.  These researchers did however seem to refine the attacks a bit from what I remember reading many years ago.  This was however the funniest presentation I saw at BlackHat, with the researchers having an ongoing narrative about “The Hacker” and “The Washed-Up Porn Star” with still pictures and even a video, which was really very funny and over-dramatic.  Regarding the sniffing techniques, the first was to use an oscilloscope or voltmeter to measure the line voltage where a computer was plugged in.  When the keyboard sent character codes to the computer, the power differential for each bit of the character code would show up as a wave in the line power, and could be detected and read with fairly high accuracy.  But what if the computer isn’t plugged into line power? That’s where the second attack came in…  The second attack was using a laser microphone to listen to keystrokes by bouncing the laser off of the computer itself, such as the lid of a laptop computer.  This technique was much less exact because it was detecting audio, and you had to do some fairly boring post-analysis of the keystroke patterns to attempt to decipher what the words being typed were.  Again, nothing new here, both of these attacks have been refined and published in various journals over the years.

Analyzing Security Research in the Media – Panel

This was an interesting panel discussion seating a number of Information Security Journalists who mostly answered questions from the moderator.  I believe they were going to take some questions from the audience toward the end, but I had to duck out early to prepare for my own presentation that was coming up in the next time slot.  The questions that I heard asked and their summarized responses were:

1. What makes a threat newsworthy?

The panel mostly agreed on the answer to this one, which was a combination of widespread impact, whether or not it involved a new or exciting product, the amount of damage it could do or how quickly it could spread.  They also indicated that many times they relied on the experts in whichever field was applicable to help identify the big stories.

2. How does someone bring a story to a journalist and do you have any advice to give for doing so?

One panelist said to know your reporter and build a rapport.  Most of the panel seemed to agree that this was all about building relationships with reporters so that they come to know you and trust the information you bring them.

3. The Panel was asked about their thoughts on the relationship between Security Journalists and the Mainstream Media.

It’s fairly obvious that the mainstream media tends to sensationalize, and most Panelists noted this fact.  They also indicated that the mainstream media tends to take a more passive posture regarding security journalists where they follow the stories and may pick up an interesting one now and then but they don’t really proactively engage with the security journalists.  One Panelist indicated that many security journalists will drop a story when the mainstream media picks it up because that usually indicates that the story is over or played-out.

4. The Panel was asked if they have any advice for bloggers and journalists on maintaining accuracy in technical details.

One Panelist indicated that there should always be some form of journalistic process involving fact checking, source checking, a sanity check from another blogger/journalist, etc. however another Panelist said that it really depends on the type of blogger or journalist, and the different types have different requirements.  Expert individuals blogging about their field of expertise may not necessarily require the same types of self-scrutiny that faux-journalists require, and ranting bloggers aren’t held to the same standards because they’re not trying to be a reputable source of information.  One Panelist also mentioned trying to avoid bias via agenda if you’re trying to be a real journalist, however certain bias if it promotes good behaviors in the reader such as encouraging additional personal research can be a good thing.

5. The Panel was asked about their thoughts on the overall journalism industry’s current struggles and perceived diminishing quality.

Most of the panel agreed that the way of physical print journalism was definitely dying, because the primary revenue stream that kept them in business, advertisement sales, just wasn’t there anymore. One Panelist noted that the current trend was to produce short, quick stories rather than longer more in-depth pieces.  Many indicated that digital journalism was the future, and much of that would be seeded by sources such as blogs.

Metasploit Framework Telephony – I)ruid

Donning my black hat for a while, I presented a turbo-talk about the new telephony library that I’ve added to Metasploit.  I discussed exploiting systems with Metasploit over dial-up and the new Metasploit Wardialer, both of which use the new telephony library.  Overall I felt my talk went really well, although I did rush through it a bit and ended at 15 minutes instead of my target 20.

The Cloud Isn’t Safe?! (Or Did Black Hat Just Scare Us?): ”

At last week’s Black Hat USA conference in Las Vegas, a number of security researchers demonstrated new ways of attacking cloud computing services. One of the more notable presentations, ‘Clobbering the Cloud,’ looked at the vulnerabilities in Amazon’s cloud infrastructure, Apple’s MobileMe service, and Salesforce.com’s cloud platform. Another demonstration showed how both Microsoft and Amazon used insecure methods for password retrieval. And still another presentation examined how the supposedly secure protocol SSL could be defeated.

But hacks alone aren’t the only dangers to be found when moving to the cloud, as the Black Hat presentations quickly made clear. In reviewing the dangers brought up by the researchers, it was enough to make anyone wonder: is cloud computing putting us and our data at risk?

Sponsor

Cloud Danger #1: All Yours Eggs in One Basket

In Sensepost’s presentation about cloud vulnerabilities (available here as PowerPoint download), they make note of the fact that moving your data to a cloud service is the equivalent of ‘putting all your eggs in one basket.’ Not too long ago, we saw a perfect example of the worst-case-scenario of doing just this. Earlier this year, social bookmarking site Ma.gnolia experienced a server crash that resulted in massive data loss – enough to shut down the service for good. Users’ bookmarks were unrecoverable. Permanently.

While that incident may have had only a minimal impact on the world at large, Sensepost pointed out a few other examples that were much worse including that of online storage service MediaMax (also called The Linkup) which went out of business following a system administration error that deleted active customer data. Then there was the incident where Salesforce.com customers were locked out of their critical business applications during a service outage. And finally, they mentioned Nokia’s Ovi crash which resulted in three weeks of lost user data as contacts simply disappeared from people’s phones. There were no backups in place, either.

These incidents highlight some of the pitfalls that can come from trusting in cloud services and it’s precisely for those reasons that enterprise I.T. is making the move at a much slower rate than consumers. This is especially true in heavily regulated industries where compliance is an issue. Sensepost’s presentation quotes Tim Mather, RSA Security Strategist, on this point: ‘If it’s non-regulated data, go ahead and explore. If it is regulated, hold on. I have not run across anyone comfortable putting sensitive/regulated data in the cloud.’

Cloud Danger #2: Too Much Trust?

In another part of the Sensepost presentation, they looked specifically at vulnerabilities of Amazon’s Web Services. To start off, they detailed the process involved in setting up a new instance on Amazon’s Elastic Compute Cloud (EC2). The first step is to create a new Amazon Machine Image (AMI) containing your applications, libraries, data, and other associated configuration settings. However, as an alternative, you could use a pre-configured templated image to get up and running quickly.

There’s only one problem with that, though. While Amazon has provided 47 machine images they built themselves, the remaining 2721 images were build by other EC2 users. Can you really believe that all these images were built securely? Basically, the template directory is just a big archive of user-generated content. And you know what user-gen content is like…risky.

Sensepost asks: Do people really just run machines other people create? Apparently, the answer is yes.

The rest of the presentation went on to demonstrate a hack that allowed them to steal others’ machine time by setting up images that included ‘back doors’ in them and tricking other EC2 customers into using those compromised images as their EC2 template.

Cloud Danger #3: Reliance on Passwords

Another issue with cloud computing services is that, despite the numerous protections built into a cloud service itself, any account is only as secure as the password used to access it. A recent example of the consequences of insecure passwords was seen during what has now become known as ‘Twittergate.’ The microblogging service Twitter had their online accounts accessed by a hacker and numerous sensitive corporate documents stolen. The documents were housed in Google’s online web office service Google Docs. Although Google was not to blame for the break-in, the hack may not have ever occurred in the first place if documents were securely hosted on-site, behind a firewall. Instead, the entire company data was only one password crack away from discovery.

Password cracking is not the only threat from what is seemingly becoming a more and more archaic system for logging into to online services. Weak password recovery systems are an issue, too. In a separate presentation at Black Hat, both Amazon and Microsoft’s Online Services came under fire for having poor password recovery systems. That’s something that should come as no surprise, Andy Cordial, Origin Storage’s managing director, was quoted as saying:

‘Password resetting and other security mechanisms in the cloud are always going to be a weak link, as long as user-friendliness comes ahead of security in the cloud computing beauty stakes. Expecting regular joes to whip out a two-factor authentication device for use with a cloud-driven service just isn’t realistic. It’s not going to happen.’

But without more secure methods of gaining access to cloud services, it’s users themselves who are the weakest link. Of course, this issue is not new. I.T. administrators have struggled with users’ lack of good security practices for years on end. Ever since computers required a password, in fact. However, the difference between a corporate network and an online account is the fact that within a business environment, administrators can create server-enforced password policies that require users to make up passwords with certain minimum levels of complexity involved. They can also force users to reset their passwords on a regular basis. But in the cloud, a user could set their password to ‘fluffy’ and never change it again.

Some cloud vendors are beginning to offer security policy control for their applications which would allow an I.T. admin to create and enforce stricter policies (like a secure password policy, for instance). Today, though, this is an area where many cloud applications are still lacking.

Cloud Danger #4: Encrypting Data in the Cloud

Alex Stamos, an iSec Partners researcher present at BlackHat brought up the issue of data encryption. He noted that many cloud providers do not offer encryption for their service. In a presentation done along with Andrew Becherer and Nathan Wilcox, they discussed a little-known flaw in virtual computing – virtual machines don’t always have enough access to the random numbers needed to properly encrypt data. The details of this issue are highly technical, but fascinating, and the end result is that very nature of virtual computing itself makes hacking simpler because it allows attackers to more easily guess at the numbers used to generate the encryption keys.

Stamos admits that this problem isn’t an immediate threat to cloud computing, but is something that requires more research. ‘It’s certainly not a slam dunk,’ he says. ‘But we do think that you could potentially reduce the complexity enough that the encryption can be broken by a determined hacker.’

Side note: Information Week has a good podcast interview with Stamos about this subject, too.

So, Is the Cloud Safe?

Considering the above issues, you may find yourself thinking twice about your reliance on cloud services. And if you listen to security analysts like John Pescatore of Gartner, you may be even more afraid. He was recently quoted in the Financial Times as saying:

‘The security of these cloud-based infrastructure services is like Windows in 1999. It’s being widely used and nothing tremendously bad has happened yet. But it’s just in early stages of getting exposed to the internet, and you know bad things are coming.’

Yikes, right?

But is the cloud really all that bad? Is it any worse of a platform for computing than what we had before? In reality, probably not. Although the cloud will provide a new set of challenges and threats to to deal with – and these will be more prevalent in the early stages of the transition – it doesn’t necessarily present threats that are that dramatically worse than old-school, on-site computing.

In the end, some cloud vendors will step up and make their cloud applications more secure, layering in security policies, encryption, and the like while doing their best to mitigate the single-point-of-failure issues. Those vendors will eventually be rewarded for their efforts as more users, and then businesses, adopt their platform. Those that ignore the security issues will soon fall out of favor.

Today’s cloud services may not be as secure as they should be, but in time, they could easily rival any other computing platform…in fact, they may one day be considered more secure. Until then, though, users, and especially companies, should proceed with caution when moving to the cloud, making sure they’re fully aware of not only the capabilities of the online service, but the risks as well.

Discuss

“

(Via ReadWriteWeb.)

Well, I’m back from Virginia! Being an RA with the Summer Governor’s School was an awesome experience, but I’m glad to be back in the realm of bytes and badges all the same!

With the hiatus over, I’ll certainly be posting again soon. There’s certainly a lot of interesting material that came out of Black Hat and DefCon this year, and I’ve got several good leads from my friend Matt over at The Art of Nerd which I plan to look-into further. You’ll also be hearing more as my classes begin at Johns Hopkins, and as I get more involved with the information security work there.

It’s going to be a crazy month. As far as I can tell, I’ll be driving through ten states (plus DC), moving out of Kentucky and into Baltimore, picking classes, finishing registration, helping other folks move, roadtripping it a bit with my brother…it’s gonna be nuts. I’ll do my best to stay current here, but expect things to pick up once I’m back in the infosec sphere.

As always, feel free to contact me if you see something worth investigating: bytesandbadges [AT] GMail. I’m always curious.

- DIO

Les claviers Apple sont dotés d’une mémoire vive de 256 octets et d’une mémoire morte de 8 kilo-octets.

Après son installation, il reste 1 kilo-octet de mémoire morte, suffisant pour y intégrer un Keylogger.

K. Chen en a fait la démonstration au BlackHat :

Introduction Firmware Update Analysis Exploitation

Reversing and exploiting an Apple firmware update

White Black and Blue Hat SEO is similar to the good, the bad and the ugly when it comes to ethical website optimisation.

There are several ways one can try and cheat or live on the edge.

Let me cover a bit of the basic differences here:

White Hat SEO – this is the main stream of SEO out there.  The accepted ‘norm’ of what is allowed and what is not.  White Hat SEO is also Safe, and you will never get penalized or banned for it.

Black Hat SEO – this is the complete opposite.  Things like stuffing keywords in your title, or hiding text or making it so small no one can read it anyway is all part of Black Hat.  The techniques here may actually get you rankings, but the sustainability, especially on Google is almost 0.   A day or two at most, and thats if you lucky.  And of course, your website and perhaps even your IP (Internet Portal Address) will be banned.

Blue Hat SEO – this is a relatively new concept, and is basically somewhere in between white and black hat.  These wizzards are the ones that take risks and test the boundaries to see what they can do.

I feel an example of Blue Hat may be using Javascript to hide a piece of keyword rich text or links.  The Javascript hides it from viewers, but seen Google claims to be able to read javascript now, picks it up and credits you for it.

Or is this bordering on Black Hat?

Only time will tell…

Day 2 kicked off with the great recovery breakfast from Securosis (thanks Rich) and Threatpost. I skipped the keynote today as the theme, although interesting, really didn’t sound like it would be worth missing the conversation at breakfast for. Seems like I was right, as at least 1 person fell asleep mid-keynote it seems. Maybe it was a late night

[Mobile] Attacking SMS

RingZero –> https://luis.ringzero.net

These guys didn’t mess around. No fluff here. The first part of the presentation was a quick demo using 2 iPhones to complete the spoofed SMS message.

Using an iPhone application to send an MMS message from a forged number (using AT&T’s 611 number as the source).

All research was completed on GSM networks. Nothing yet on the UMTS side.

SMS in these terms is a catch-all term used for SMS, MMS and other associated messaging technologies. SMS is a store and forward technology. When communicating SMS messages between carriers, the carrier often converts the message into an email to be transferred to the remote carrier and then returned to SMS format to be delivered once the recipient is back within signal coverage. MMS is much more involved.

Functionality is becoming ever more feature rich

• Ringtones
• Videos
• Pictures
• …..

Mobile phones are a unique attack surface  as they’re always on. Turning the phone off only delays the delivery of the attack in this case (due to store and forward). It’s become much easier for attackers due to new platforms such as iphone/Android.

Protocol comparison

HTTP –> MMS
TCP –> SMS
IP –> SMS

SMS UDH allows new functionality to be added to standard SMS (content information, splitting messages over multiple texts, ….)

GSM modems support AT commands (AT+CMGS, AT+CMGW, etc….) Some phones expose their serial interface when you connect to them via bluetooth. some modems don’t support all AT commands.

PDUSpy http://www-nobbi-com/pduspy.htm  –> for encoding things into a format that can be used in AT commands

Incoming messages can be read from the SIM (prior to any modifications that the phone may make) by using a SIM card reader and a modified version of pySimReader.

Implementation flaws discovered during testing .:

• Android flaw in parsing UDH for concatenated messages
  • Impact: Crashed service
• SwirlyMMS (Jailbroken iPhone) from field denial of service
  • Turns off CommCenter process indefinitely
  • Need to reset the SIM in another phone before service is restored
• Windows Mobile WAP push SL “Vulnerability”
  • Executes binary without notifying the user
  • Not a Microsoft issue !
  • Configuration error causes the vulnerability (registry key setting)

Carriers use SMS as a management tool for phones on their network. This opens the door for Architecture Attacks.

• Voicemail notifications
• Change settings (proxy settings, etc…)

Able to bypass all security features of the carrier by hosting the content on the attackers server. By sending a notification it’s possible to force the phone to connect back to the attackers server over HTTP. By examining the HTTP headers in the request (User-Agent, …) it’s possible to enumerate/force specific attacks on the target phone.

TAFT (There’s an Attack For That) –> Available on Cydia on 8/15 (earlier if you email and ask)
http://twitter.com/taftapp
taftapp@gmail.com

Jailbroken iPhone app (not submitted to the iPhone store)

Covers a number of the flaws mentioned in this presentation. The iphone application sends the content to an attacker owned system. The system then returns an MMS link which is sent to the carrier to be delivered to the target (bypassing all filters as it’s a notification and not a new message).

IPhone is a good platform to run attacks against as the subject line of MMS messages are hidden from the user (they look exactly like an SMS to the user).

These issues are at the carrier and not on the phones. Carriers are currently attempting to fix, however it should still work. Carriers are however monitoring for this kind of attack while they work on a fix.

Attacking SMS in the future will become easier due to the increase in GSM capable hardware.

[Random] Mo’ Money, Mo’ Problems

Legal disclaimer… They did read it, honestly

69% of companies were told that their company had been hacked by a third party. This means that making money the blackhat way is easier than it should be. Companies aren’t detecting the attacks as quickly as they should. However you don’t want to be the one who does get caught.

Fully targeted attacks and where the clever and profit driven ($$$) attacks exist.

Holiday grinch-bot — Some contestants used scripts to buy items and win the contest. As this purchases were automated other users began listing their items in eBay and fooled the bots into buying their items as well.

Hacking email accounts… “Is Dan Kaminsky here ?”

Review of the Strongwebmail contest ($10,000 to hack into the strongmail webmail). By finding a XSS vulnerability in the the Rackspace Webmail software and emailing support@strongwebmail.com and the CEO saying they won the contest. This prompted the CEO to open the email and then trigger the XSS vulnerability.

Hacker Croll’s attack on twitter by using the reset password. Due to the secondary email account registered on Twitter being deactivated (hotmail) he could re-register the account and get the password emailed to him.

Using Affiliate links be forcing cookies to be set when a user views your page (no click required). By using referrer addresses you can set cookies based on where the user has been forwarded from (i.e. where the iframe was loaded). This can bypass the protections of affiliate link sites. The attack required 2 websites (both unconnected) that force iframes to be opened based on referrer links.

Poisoning Google Maps — Add your own business to Google Maps. Add 1,000 new businesses (with a similar name) around your competitors address to make it harder to find them.

Money laundering through iTunes store – Market your own music through a 3rd party company to iTunes, then use stolen credit cards to purchase their songs and profit. In this case (UK based) they bought over $825,000 in songs, however were caught as they didn’t try to hide their tracks.

Playing with permit systems –> Brasilian timber permit site was hacked and allows $833,000,000 worth of timber to be stolen. In the US, 70 FAA websites were tested and 763 high-risk vulnerabilities were discovered. These exposed systems such as air traffic control.

Vulnerable systems are not hard to find. Learning the skills to exploit them is also not hard. The problem begins when you need to think of what to do with the money.

[Hardware] “Smart” Parking Meter Implementations, Globalism, and You

This talk… protected by the EFF

These systems are taken for granted. Located all-over the world, and basically miniature computers. The industry is so large that it’s become a target. $28 billion annual industry.

Attacks have series implications

• Fiscal
• Legal
• Social

Case study is San Francisco Municipal Transport Agency (MTA) however these attacks effect systems far beyond this.

New systems are pure electronic smart systems. Infrastructure allows for separation of duty. viewing logs, maintenance, payment retrieval. This was designed to prevent fraud being committed by employees.

Administrator interfaces can be visible, or embedded. RFID hidden within the coin slot. As well as standard interfaces like Wireless (RF, GPRS), Serial (sometimes through things like the key slot), Infrared.

Previous research

• New York City reset through infrared (universal remote), 2001 http://tinyurl.com/mae3g8
• San Diego stored value card by H1kari, 2004 http://www.uninformed.org/?v=1&a=6&t=txt
• Chicago multi-space failures, June 2009 http://tinyurl.com/nt7g19 / http://theexpiredmeter.com/?p=3081

Can you tazer a meter and get it to reset ?

General Process of research

• Attack postulation
  • Covert Channels/message passing via LCD
  • Denial of Service
    • Set meter to “Out of Order”
    • Destruction of smartcard or coin processing circuits
    • Cause legitimate user to be added to fraud blocklist (if used)
  • Immediate deduction of credit
  • Audit log retrieval/modification
  • Change date/time
    • everyday is Sunday !!
  • Unlimited payment via smartcard
• Information gathering
  • Social Engineering
  • Crawling the internet
  • Dumpster Diving
  • Acquire target hardware
• Hardware analysis
  • Disassemble hardware
  • Identify components
  • Typically different models (even between manufacturers) aew based on the same components
  • …
• Firmware Analysis (optional – based on attack)
  • Extract programcode
  • Quick runthrough with strings
  • Disassembly and Reverse engineering
  • Clues to possible entry points
• Smartcard Analysis
  • Monitor communications
  • Decode communications
  • Protocol analysis
  • Interact with the reader

The attack on San Francisco system was made possible as the MacKay model (Guardian) in use was based on a previous revision the was available to be purchased and reversed. This goes to prove that you can find vulnerabilities by looking at older versions of the same device.

$35 Million pilot program to replace 23,000 mechanical meters in 2003. These systems are MacKay Guardian XLE models.

Payments are through stored value smart cards ($20 or $50). It is easy to replay communications to obtain unlimited parking –> Found using an oscilloscope capture of the smartcard transaction –> Succeeded in 3 days

ISO7816 compliant cards. Newer cards are using a microprocessor based solution that hinted at undocumented features, possibly for maintenance or administration.

Multiple captures were made (different serial numbers, different values). Once the data was captured it could be broken using a pen and paper.

CTC1 is the only value changed on the card. Based on the value of the card a set number of uses (CTC1 counter) are possible. It was also possible to set the card value to $999.99 by changing the value on the card (not unlimited, but close).  The final phase of the attack was writing the code to a PIC Silver Card to make it easy and almost undetectable (just add a sticker on the card to make it look 100% authentic).

Code will be released – however un-weaponized to prevent exploitation. Code currently available on http://www.grandideastudio.com/portfolio/smart-parking-meters

[Virtualization] Cloudburst: Hacking 3D and exploiting vmware

Several other CVE’s exist when it comes to VM attacks and vulnerabilities.

Security researchers rely too much on Virtual Machines to conduct security related work. It’s not beyond the realm of possibility that an attacker could write an exploit for Adobe that also breaks out of a VM.

Why attack the VM devices ?

• Doesn’t require low-low mojo
• Common to ALL Vmware products
• They “run” on the host (vmware-vmx-process)
• They can be accessed from the guest (Through port I/O or memory-mapped I/O)
• They are written in C/C++
• Sometimes parse complex data

Around 10 Virtual devices are installed by Vmware (8 on vmware player as it doesn’t support USB/Audio devices). VMware SVGA II was the one selected to be most likely to yield results.

Combination of 3/4 bugs in the Vmware emulated video device make the exploitation possible.

• Host memory leak into the Guest
• Host arbitrary memory write from the guest
  • Relative
  • Absolute
• Some additional DEP friendly goodness

Vmware products effected: Workstation, Fusion (?), ESX Server 4.0 (RC2 Hardfreeze). The issues were silently patched on 31/02/2009. Cloudburst was released to CANVAS early updates 04/04/2009.

Lots of detailed information on the SVGA FIFO and how it interacts between the guest and the host.

During 2D rendering FIFO commands are used to mark changed regions in the frame buffer.

During 3D rendering FIFO commands are used as a transport layer for the architecture independent SVGA3D rendering protocol. This is much more complex than the 2D rendering.

Many SET commands within the 3D rendering appear to be flawed. There is no bounds checking, meaning that you can put minus numbers into the SET commands to overwrite arbitrary locations. Without knowing the value of ESI it’s not possible to target this (without using the memory leak flaw within the 2D rendering).

Requires Admin rights on the VM (guest) in order to use the information stored in the framebuffer in the desired way (i.e. to add a driver to the system to permit reading of this memory).

ASLR is defeated as all the memory addresses required are leaked by the host into the guest using the framebuffer as a transport mechanism. Bypassing NX is however another issue.

MOSDEF (built into CANVAS) was used as the final exploit. In order to tunnel the shell it needed to be tunnelled over the framebuffer (MOSDEF over BMP). By scanning the video card memory for a signature it was possible to extract and parse the data.

Final thoughts

• VMware isn’t an additional security layer
• Silent patching in 2009 is ridiculous
• Given memory bug primitives everything can be defeated
• If a feature isn’t used in an area of your product, or is disabled, it shouldn’t be loaded regardless

[Mobile] Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone

Iphone 2.x architecture

Security Architecture Overview

• Reduced attack surface
• Stripped down OS
• Code signing
• Randomization (or lack thereof)
• Sandboxing
• Memory protections

Due to the memory protections it’s not possible to do something like placing shellcode into the HEAP and then executing it. Uploading applications and running them is not possible due to the issue of signing all applications before they can be run.

Iphone version 2.x made things harder to exploit. Version 3.0 is even tougher than version 2.x

Beep and vibrate (second ever iPhone payload) –> demonstrated on an iPhone 2.2.1 setup for development, however would also work on a stock iPhone 3.0
Ability to set the Rx registers using a return to libC style attack –> demonstrated on an iPhone 2.2.1 setup for development
Tricking the iPhone to run unsigned code by patching the shared library on the fly –> demonstrated on an iPhone 2.2.1 setup for development

In order to run code it’s only possible to map the injected library ontop of an existing library.

Harder to run Meterpreter on iPhone than on Mac OSX due to the restrictions.

Now that you can insert directly and run it on the remote device it’s possible to interact with things like GPS, listening device, and anything else on the phone using C/C++.

Macterpreter — Porting from Mac OSX to iPhone is almost just a recompile. Some limitations exist (monolithic, runs in own process, can’t exec other processes). Shellcode for the iPhone was setup using the same exploit as used above.

Final demo of Macterpreter –> iPhone 2.2.1 (not jailbroken/development). Setup for exploitation using a vulnerable program

Within the macterpreter it’s possible to send SMS, make phonecalls, or make the phone vibrate. It’s also possible to pivot through the session.

(iPhone3)

Due to the release of firmware 3.0 between the talk being submitted and presented there were a few new things to consider.

Version 3.0 prevents meterpreter running on factory phones currently. However currently it’s possible to get the code running on developer versions of the phone or jailbroken phones. “They patched our bug, those bastards!” get-task-allow has been set to false which prevents this method of exploitation.

Differences between 2.x and 3.x

• XN is not really enforced
• get-task-allow can’t “act like a debugger”
• ptrace() plays a key role

Currently the exploit code when executed on a 3.0 phone is killed as soon as it’s run. A new trick is needed. Still no ASLR, so return to libC style attacks are steal possible.

———————-
Well that’s it for Blackhat, hope you’re liking the write-ups. If so leave a comment and let me know.
It’s been great so far. Next stop Defcon (and some parties)

You can follow us on Twitter under getFYRM. We’ll be tweeting updates this weekend for the happy hour tonight (see below) and for the netbook winners.

The RSVP deadline for the happy hour tonight has passed. See Tony or Matt if you still want in. Also catch them for swag and a chance to win one of two Asus netbooks.

[Introduction] Opening with Jeff Moss

More people are present at Blackhat from the US this year due to the strong dollar. Shortlist of countries that only sent 1 person to the conference. Russia only sent 1 person this year. Blackhat Europe will be in Barcelona next year and is officially a 3 track event.

[Keynote] Douglas Merrill

The way work has changed in the last 10-15 years.

CEO’s are terrified of CSO’s. Most CEO’s think that their company has been the victim of a security breach. However this can’t be the case, as the total number of breaches  doesn’t support this. 1 in 3 CEO’s sign off on the security budget without knowing what it’s for.

16% of breaches tracked by privacywatch in 2009 (so far) were from lost/stolen laptops. 10% were from lost or incorrectly disposed of paperwork. However we rarely say that the company should buy more shredders. More focus should be made on the realistic threats to an organisation.

Lots of effort goes into preventing employees from using applications such as IM. However 50% of employees use personal IM accounts for work activities. Employees want to use the latest technology not to bypass security, but to improve their effectiveness in the workplace. Make it easy for the users to do the right thing and really hard to do the wrong thing. Constantly blocking the user just means that they spend valuable time trying to bypass the rules to get their job done they way the want/need to.

As an example, Google removed a number of controls to allow their staff to be able to to innovate. This can cause issues when it comes to things like end-point security. To prevent this from being an issue the security moved to the infrastructure with monitoring in specific locations.

[Testing/Exploitation] Ruby for penetration testers

Scripting/reversing/fuzzing and integrating Ruby with your existing toolset

(Scripting)

Lots of great security tools are written in Ruby (eg. Metasploit, IdaRub, Ronin) however there should be more.

Use and extend whats already available to you. Don’t reinvent the wheel – Take tools and techniques that work and make them better.

WWMD – A Ruby framework for penetration testing

Includes a number of classes to easily write scripts to interface with web-applications being tested. Classes such as the fuzz module allow for fuzzing inputs for possible XSS vulnerabilities. Modules are also available to test viewstate ASP based applications. By turning the viewstate into a XML format it’s possible to preform fuzzing.

JRMI (Java Remote Method Invocation). There aren’t many tools that can test JRMI based applications. Nessus can do limited enumeration, but that’s about it. JRMI in ruby allows interaction with the Java listener and the ability to pull out valuable information (passwords, configuration, etc…)

(Reversing)

Ruby Black Bag (RBKB) – A Ruby port of Matasano’s Blackbag tool (originally developed in C)

This allows Ruby to be used to reverse unkown protocols and inject traffic into these connections. Black Bag also allows you to extract data from embedded files

Ruckus – A DOM-Inspired Ruby Smart Fuzzer

Ruckus allows you to define the structure of a packet and use this as the basis for testing. It can also be used to define file structures.

FRASM – Static analysis using a Ruby wrapped disassembler.

Ragweed – Dynamic analysis inspired by PyDbg.

JDI-HIT Tracing – Dynamic Java analysis

(Fuzzing)

Unfortunately due to time constraints the presentation had to draw to a close before really covering anything useful in this section. Hopefully I’ll have a chance to review the slides.

[Testing/Exploitation] Demystifying fuzzers

Writer of the Peach fuzzing platform.

Dumb Fuzzers – Using techniques such as DWORD sliding or bit flipping. Now so popular that data is very often accompanied with a CRC value to prevent the use of dumb fuzzing attacks.

Smart Fuzzers – More knowledge of the target required to ensure that things like CRC are fixed when fuzzing. In order to test more than the first few packets of a communication, the fuzzer has to know how to progress to the point in the communication you want to fuzz. This could mean performing authentication or loading a valid file into a player before being able to fuzz specific commands.

Why are we fuzzing ?

• Fuzzing is about finding bugs
• Fuzzing is repeatable
• Fuzzing should be easy on the wallet (low cost per bug)

Fuzzing alone is not enough, however it is a great addition to any secure development lifecycle.

Bugs that cause crashes or violations .:

• Memory corruption issues
• Overflows
• Type issues

DoS types discovered .:

• Memory consumption
• Process hangs

Fuzzer types (File, Network, General, Custom)

Lots of fuzzers to choose from. More appear every year, most have a short lifespan as they’re written to discover a specific bug and enable a conference talk on the subject/bug.

Of all the fuzzers available, only a handful are still in active development (fuzzware and Peach are good examples). Custom one-off fuzzers rarely go beyond the 0.1 revision and often aren’t updated after the conference talks are completed.

Commercial Fuzzers

• Mu Dynamics (Network Only, hardware based fuzzing device)
• beSTROM (General Fuzzer, Software based)
• Codenomicon (General Fuzzer, but not a fuzzer. Test-case based)

Difference between offensive and defensive fuzzing

Attackers need to find 1 bug to make their name.
Corporates need to find ALL the bugs to maintain security.

Fuzzer development process

• Investigate
  • Determine what needs to be fuzzed
  • Mapping fuzzer capability to needs
  • Old code (tested less than new code)
  • Complex parsers
  • Exposed attack surface
  • Security boundary crossing

• Modeling (most of the time is spent here
  • Model Data of our system
    • Data Types
    • Relationships (size,count,offset)
  • Model State of our system
    • Send, Receive, Call

• Validate (critical)
  • Verify model matches reality

• Monitor
  • Sending data is just the beginning
  • Fault detection
  • Data collection
  • Complex setup support

Basic monitoring should include debugger and network capture at the very least. Advanced monitoring should be extensible and have VM support (to revert after a crash).

It’s important for the fuzzer to not stop at the first bug found. Complex setups are required to ensure that when a fault is found it’s logged and then the fuzzing continues to see what other flaws are present.

Parallel running of tests is important when you start to look at large test-cases. By using 10 parallel tests at once you can drop the time required for a test significantly. Possibility of using something like Amazon’s cloud computing services to speed up the process (possibly at the expense of costs).

• Crash Analysis
  • Bucketing of duplicate crashes
  • Analysis of exportability
    • Microsoft’s !exploitable for WinDbg (supported in Peach)

Many freeware fuzzers use the Windows System debugger instead of the WinDbg direct COM objects. This limits their effectiveness.

Put some thought into the choice of what fuzzer to implement. Not only how modern and updated it is. Also check if it has a community around it, support (bugs, assistance), good documentation, training (taking it to the next level, get staff going fast).

Nice metrics on the adoptability risks of specific fuzzers. Lots of considerations to look at. What would happen if the sole developer of the fuzzer dies or gives up the project ? Commercial fuzzers are better for adoption, but lacking in other areas. Costs are spread. Open source costs less (free ?) but it takes longer to train staff and implement.

[Testing/Exploitation] Our favourite XSS filters/IDS and how to attack them

Slides available at http://p42.us/favxss

Both speakers are very active on the sla.ckers.org website discussing XSS attacks and filter bypasses.

New website should be up soon at tra.ckers.org –> discussing and tracking XSS attack vectors

Presentation covers mod_security and PHP-IDS on the server-side and IE8 / noscript on the client-side.

HTML Tricks such as “object data”, “isindex”, XHTML namespaces such as <x:script>

JavaScript Tricks “location=name”, setter, usage of non-alphanumeric characters, VBscript in event handlers

Using Firefox’s getter/setter allows you to bypass the requirement for parenthesis. This function has been marked as deprecated for around 3 years, but still functions in the latest FF versions.

There are a lot of examples here. Far to many for me to note. I’d suggest grabbing a copy of the slides and giving them a quick run against your favourite opensource applications in a testbed of course…

HTML5’s support of seamless frames could allow for pure CSS-based XSS attacks.

Unicode and XSS –

0xxx xxxx -> ASCII
1xxx xxxx -> Unicode

PHP’s Unicode function (c) attempts to fit 21bits into a 16bit variable. This causes and overflow and drops some of the input. This can be used to avoid some filters.

(Mod_Security)

Has issues when dealing with encoding types (filters are mostly ineffective)

Uses 2 stages of filtering. The first examines for specific keywords, if it fires, this is sent to the second stage which uses a regex to confirm the finding.

Good as a testbed for practicing XSS bypasses

(PHP-IDS)

http://php-ids.org

Very aggressive, blacklist based filter.

• Attempts to detect all attacks (not just common attacks)
• Easily catches all basic injections

The project homepage allows you to submit bypasses and have the ruleset tweaked to improve detection.

Detection is based on regex. Has in total around 68 filters targeting XSS and other attack vectors.

(IE8 XSS Filter)

Can be disabled from the server-side by injecting X-XSS-Protection header.

Various methods of bypass are possible including injection of new line chars, as well as alltering the use of things like document.cookie to document.['cookie'].

IE 8 filer doesn’t detect attacks against systems in the intranet zone ?

(NoScript)

Security over usability. Is NOT an XSS filter.

It is possible to bypass like any other filter. It’s also possible to DoS the NoScript process to sneak other javascript past the filter.

(IDS)

Simply bypass due to blacklist based solutions.

Using OR 2=2′– instead of OR 1=1′–

Very easy bypass methods that work on some of the more basic IDS systems.

Don’t trust your IDS – It can and will be bypassed

[Testing/Exploitation] Exploiting rich content

Adobe Flash is by far the mostly widely spread technology found during reviews.

Millwards Brown Survey claims that 99% of systems have Above Flash installed. A vulnerability in Flash has the ability to infect machines of all platforms.

FLEX and AIR are additions to the format.

ActionScript acquired by Adobe in 2005 during the buyout of Macromedia. Based on EMCAScript, so very similar to Javascript. ActionScript 2.0 supported by all popular flash players.

Testing Methodology

• Manual Testing
• Reverse Engineering
• Fault Injection

FlashFire (Fault Injection for Reverse Engineers)

• Gather Input
• Survey Input
• Mutate Input
• Process Instrumentation (breakpoint instructions to be monitored)
• Process Monitoring

Testing Flash using Flashfire

• 3 million injections in 36 hours of testing
• 23 unique vulnerabilities discovered

Using Read Beyond Bounds vulnerabilities to exploit systems. By using various sizes of stage it’s possible to force memory to be allocated in different areas of the heap. It’s then possible using the Read Beyond Bounds vuln in Flash to read other information from the heap within that section.

Due to the nature of the vulnerability the PoC will rarely fail on a system and works on every version of OS tested (were the heap is contiguous).

These issues are patched in Flash version 10.

--------------------------------

Checkout the material for these presentations at

http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html

Pendant que la société Apple joue sur la peur concernant le jailbreak de l’iPhone, Charlie Miller fera une démonstration de la fameuse faille trouvée dans le logiciel de SMS de l’iPhone, demain, à la conférence BlackHat.

Un simple SMS suffirait à faire planter un iPhone, mais ce n’est pas tout.

D’après Charlie Miller, une série de SMS bien ficelée permettrait de prendre le contrôle d’un iPhone.

De l’autre côté, Zane Lackey et Luis Miras présenteront une technique qui permetterait, selon eux, de changer les paramètres d’un téléphone portable via un simple texte.

Tiens, cela nous rappel un peu Kevin Mitnick qui écoutait les conversations des services d’ordres avec un Motorola.

Hey,  I am sure veryone seen it already.  Twitter has changed their login screen.  Looks good to me.   See what happens when you miss just a few hours of the Twitter Verse?

And in other news, I read a post on SEOMOZ today about a sneaky script that got a ‘viagra’ website ranking on the first page of Google.  Yup, it seems Google slipped up and missed the fact that this site got 1000’s of links through completely unrelated blog sites where they managed to hide a link.

The link is invisible to humans, but seems to have been picked up by the search engine and was ranked for them.

Crafty little Black Hat there….