Monday, July 28, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Who’s In Charge Here? The Problem of Information Security Governance [BlogInfoSec.com]

Posted: 28 Jul 2008 06:00 AM CDT

A long-time friend of mine recently called with surprising, and sad, news.  “I’ve been laid off due to poor profits,” he said.  “I receive eight-month’s severance.  But if, at the end of eight months, I tell my ex-employer that I’m retired, I’ll get family medical benefits until I turn 65.”

My friend is 55, and has been employed in the field of Information Security for more than two decades.  Until a few days before the phone call, he had served as CSO at a major manufacturing company.

I asked him how the function of CSO would be replaced by his former employer.  He said that the job would be delegated to another senior executive in IT.  “And the other security roles will also be reassigned-network security will be moved to Telecommunications; policy and procedures will transfer to Communications.”  In other words, the central Information Security unit would be dissolved and its functions incorporated into several existing operational, technical, and other areas.  “But how,” I wondered aloud, “will all these areas work together to create something resembling a consistent information security program?  Where’s the managerial glue to hold it together?  Who’s in charge?”  My friend replied, quite simply, “I don’t know.”

This single telephone conversation is one among many indicators that, to an increasing extent, the problem of governance continues to haunt the field of information security.

(...)
Read the rest of Who’s In Charge Here? The Problem of Information Security Governance (1,794 words)


© Sam Dekay for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under Compliance and Laws.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

Reflections on the DNS Vulnerability [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 27 Jul 2008 10:42 PM CDT

Is anyone else really, really sick of hearing about this "new" DNS vulnerability? I am.

I've been reading about it, the exploits, the infighting between some of our own, the disclosure, the massive coordinated effort to create patches, and DJBDNS's "ha ha". I'm over it.

The first really refreshing blog post/article on this topic that I've seen in weeks came when I hit Errate Security's page and read Robert Graham's article, "The DNS is Falling". Robert seemed to hit all the important points, and quite honestly it's about time. The "big picture", "missing the forest for the trees"... whatever cliche you want to use - we [the security industry] have done it.

Here's my point. As I commented on Robert's blog, the part that should worry everyone who's followed this issue isn't that there is a major new security defect in the way that DNS could be manipulated by evil hax0rs... it's that we have known about this type of attack against DNS for many, many, many years yet have chosen to sit on our hands. It's absolutely mind-boggling to me that with all the talented and brilliant minds that I've met or read about out there in IT Security we have, in 2008, a rediculously gaping design flaw in the underpinnings [nay, the foundation] of the Internet. ... we're so focused on sexy new technologies that we've completely swept this bugger under the rug and hoped no one would ever notice.

That, my friends, demonstrates to me that we have a much bigger problem in our industry.

Join the CISA group in LinkedIn [Gilbert Verdian - Security Advocate]

Posted: 27 Jul 2008 09:20 PM CDT

Using LinkedIn quite extensively, I created a group for CISA qualified professionals to join.

Please visit the following link stating your ISACA membership number and month & year you qualified for the CISA.

http://www.linkedin.com/e/gis/40405/0142006D7B5F

Upon joining you’ll have the following logo of the CISA letters I made displayed in your profile.

cisa.png

 

Join the CISA group in LinkedIn - Update [Gilbert Verdian - Security Advocate]

Posted: 27 Jul 2008 09:20 PM CDT

Using LinkedIn quite extensively, I created a group for CISA qualified professionals to join.

Please visit the following link stating your ISACA membership number and month & year you qualified for the CISA.

http://www.linkedin.com/e/gis/40405/0142006D7B5F

Upon joining you’ll have the following logo of the CISA letters I made displayed in your profile.

cisa.png

July 2008 - A quick update on the CISA group. We now have over 1300 members in the group! 

The group is still only intended for CISAs, as each application is viewed, please also ensure you have your relevant CISA certification & experience detailed in your profile.

SANS ISC: Don’t Disable Your Firewall [Infosecurity.US]

Posted: 27 Jul 2008 05:22 PM CDT

SANS ISC handler Tony Carothers posts some of the best advice I have heard or read Saturday or Sunday (other than buy low and sell high on Cramer….).

TechCrunch: Twitter Vulnerabiltiy Discovered? [Infosecurity.US]

Posted: 27 Jul 2008 05:10 PM CDT

Yesterdays’ TechCrunch post by Jason Kincaid, apparently either reveals a vulnerable exploit in Twitter, or a simple error. Evidently, a suspected spam account on Twitter, (if Mr. Kincaid’s post is correct) is either one of the most popular Twitteristas, or is a spammer gaming the system, with an exploit in the API….The cause for concern is the ability of this user to garner followers on Twitter, without the requisite acquiescence to do just that: Follow.

XKCD: Math Is For The Young [Infosecurity.US]

Posted: 27 Jul 2008 04:53 PM CDT

London's New Transit Card [Emergent Chaos]

Posted: 27 Jul 2008 11:57 AM CDT

transport for London.jpg
Transport for London is trying to get as many people as possible to use Oyster Cards. They are cheaper -- and theoretically easier to use -- than traditional tube / bus tickets. However, using one means that TfL has a record of your journeys on the transport system, which is something that not everybody is comfortable with.
Photo: Voyeur by Jeff VC

In Memoriam: CMU Computer Scientist Randy Pausch [Infosecurity.US]

Posted: 27 Jul 2008 11:41 AM CDT

Randy Pausch, Ph.D., a CS professor at Carnegie Mellon University passed away Friday, at his home in Chesapeake, Virginia. He was 47. I, my family, and colleagues at Infosecurity.US and Databaseresearch Corporation extend our deepest condolences to Dr. Pausch’s family, colleagues and friends. His life has been an inspiration, and a source of enlightenment for all.

Pausch’s Last Lecture

Carnegie Mellon University YouTube

The Land of Oz [Branden Williams' Security Convergence Blog]

Posted: 27 Jul 2008 09:30 AM CDT

No, Toto is not coming. I'm referring to Australia! I'll be making a trek down under in August to discuss PCI with banks and merchants alike. If you are in the area and want to meet up, please drop me an email! Hope to see you there!

Here come the Yankees! [StillSecure, After All These Years]

Posted: 27 Jul 2008 08:54 AM CDT

IMG_8903

Image by goddam via Flickr

Ah, its almost August.  Football training camps are open and the Yankees and Red Sox are battling. Does it get any better?  For most of this year I thought the Yankees were going to be out of it this year and content to have a rebuilding year.  We have several veteran players who past their prime and whose contracts are up after this year.  We have a some great young talent that need to grow into their potential.  It looked like the Bosox and Tampa Rays were going to run away with the division and wild card this year.

But like inevitable turning of the seasons, sometime after July 4th and then the All Star break, the Yankees beginninng their drive. Those old bones warm up in the heat of the summer and the bats come alive. This year the pitching is carrying them too.  Old pros Andy Pettite and Mike Mussina are joined by Jobba Chamberlin.  Mariano Rivera is still the best closer in baseball.  Just like old times the Yanks went out and fleeced some 2nd division team for a bunch of minor leaguers and added a quality hitter and pitcher right before the trade deadline.  Look around and we are one game behind the Red Sox for the wild card slot and only three games behind the Rays for first place!

I still think Tampa is going to stumble and it will come down to the Sox and the Yanks. Just the way it is supposed to be. I am heading up to NY next Friday, taking my sons to the shrine that is Yankee Stadium to see it in person in its last year.  The rest of the baseball season is going to be very exciting.  Again, just the way it is supposed to be!

Zemanta Pixie

Reproducibility, sharing, and data sensitivity [Emergent Chaos]

Posted: 26 Jul 2008 05:52 PM CDT

What made this particular work different was that the packets we captured came through a Tor node. Because of this difference, we took extreme caution in managing these traces and have not and will not plan to share them with other researchers.
Response to Tor Study

I won't get into parsing what "have not and will not plan to share" means, and will simply assume it means "haven't shared, and will not share". So, what we have here are data that are not personally identifying, but are sensitive enough that they cannot be shared, ever, with any other researchers.

What is it about the traces that makes them sensitive, then?

Given this policy, how can this work be replicated? How can it be checked for error, if the data are not shared with anyone?

Bonus rant, unrelated to the Tor paper

I am growing increasingly perturbed at the hoarding of data by those who, as scientific researchers, are presumably interested in the free flow of information and the increase of knowledge for the betterment of humanity.

Undoubtedly not all keep this information to themselves out of a base motive such as cranking out as many papers as possible before giving anyone else (especially anyone who might be gunning for that same tenure-track position) a shot, but others who play this game no doubt are. It's unseemly and ultimately counterproductive.

It's funny -- the infosec community just went through an episode where a respected researcher said, in effect, "trust me -- I found something important, but I can't give you the information to verify my claim, lest it be misused by others less noble than we", and various luminaries took it to be a sign of lingering institutional immaturity. Perhaps, as EE/CS becomes increasingly cross-pollinated with the likes of sociology, psychology, law and economics the same observation will hold. If so, we should see it coming and do the right things. This is one they teach in pre-school: "Sharing is Caring".

As an example of what could be done, consider this and this.

Amerit Williams: DNS Attack Scrutiny [Infosecurity.US]

Posted: 26 Jul 2008 02:58 PM CDT

Amerit Williams, TechBuddha, and a fellow member of the SBN, has posted, in our opinion, one of the best DNS Flaw & FUD examinations to date. Let this morsel of wisdom inject a bit of sanity into the hysteria. He makes reference to the Russ Cooper and Peter Tippett post, detailing support for putting the FUD in it’s place. Definitely a MustRead.

[1] Verizon Security Blog (Russ Cooper and Peter Tippett)

It’s All In a Name…Risktical [Risktical Ramblings]

Posted: 25 Jul 2008 08:46 PM CDT


Risktical – To the best of my knowledge, this is not a documented "Bushism". But is has some zing to it and it seemed to stick when I was doing a very impromptu mind mapping exercise.

So off we go….

Risk is often thought to be a very complex subject to comprehend – let alone have meaningful discussions about. The reality is that we all probably understand risk better then we think. We make risk based decisions everyday – but yet rarely are we put in positions to articulate the risk elements that went into a decision let alone defend our reasoning.

Performing information security risk assessments on IT projects, operational processes, or other business processes is becoming more and more common in organizations of various sizes. This is what I have been doing for the past three years. Yes, I started out as a piece of clay with half a clue about risk – but thanks to great mentors, a great risk framework to work with, some self-study, a risk management organization that takes this discipline seriously, and business leaders that embrace the information we provide them – I am more experienced with understanding risk, more hardened against not erring on the side of possibility vs. the side of probability and more convinced that at the end of the day information security professionals can enable effective decision making.

There are a few words that come to mind when I think of risk and the discipline of assessing risk – all of which influenced the name of this blog.

Mystical / Uncertainty– There are folks that scoff at the ideal of being able to classify or better yet quantify information security risk. I think it all comes down to one's person with dealing with uncertainty as well as accepting the fact that this is a fairly new discipline within the information security profession. Are information risk assessment scoffers as skeptical about stock market analysts and their predictions?

Statistics – Uncertainty. Not Binary. Probability. Values between 1 and 0. Distribution. We should not underestimate how many people understand risk concepts – especially business executives and decision makers. Understanding basic statistical concepts as well as being familiar with more advanced statistical concepts is a must for anyone wanting to take this discipline seriously. From my perspective, leveraging a methodology that uses sound statistical concepts is going to be easier to defend, as well as make it easier for users of the methodology to be consistent in their assessment.

Economics – How and why a business allocates its money matters at all levels of the company. Any business minded person wants to ensure that where they apply their allocated money, it is going to have some positive impact on the business. Within information risk management, these funding decisions can be hard to make. But a decision maker armed with the right information can make risk based decisions that can decrease the overall risk the organization may be facing as well as prove value.

In up-coming posts, I will try to lay out a few foundational topics before analyzing some risk scenarios. Some of these scenarios may be based off current events – others may be modeled based off my "imagination". Regardless, I look forward to sharing my thoughts and having meaningful dialogue.

San Francisco District Attorney Reveals Network Passwords [Infosecurity.US]

Posted: 25 Jul 2008 06:01 PM CDT

According to PCWorld reporter Robert McMillan (IDG News Service), in an astonishing move (to support the City and County’s case against the suspect, Terry Childs), the San Francisco District Attorney’s office has made public about 150 internal passwords to the City and County of San Francisco’s internal network. Evidently, the DA made the passwords public, as part of Exhibit A, in the case being made against Terry Childs, the former CCSFO Network Administrator.

[1] PCWorld’s Robert McMillan

[2] InfoWorld’s Tom Sullivan

TippingPoint: Safari Vulnerability [Infosecurity.US]

Posted: 25 Jul 2008 05:44 PM CDT

Through the Zero Day Initiative, TippingPoint DVLabs has released a security advisory focused on a Style Sheet Heap Corruption explotable vulnerability in Apples’ (NasdaqGS: APPL) Safari.

DNS Entropy Testers - Is Your DNS Infrastructure Vulnerable? [Infosecurity.US]

Posted: 25 Jul 2008 05:37 PM CDT

DNS-OARC has released a tremendous, recommended, DNS Entropy Tester. Use it to determine the level of vulnerability your DNS may possess. Dan Kaminksy, of IOActive, also has developed a DNS Flaw tester on DoxPara (obviously, highly recommended).

Microsoft Releases Security Advisory 956187: DNS Spoofing Threat [Infosecurity.US]

Posted: 25 Jul 2008 04:39 PM CDT

Microsoft (NasdaqGS: MSFT) has released a Security Advisory entitled the “Increased Threat for DNS Spoofing”.

This advisory is hot on the heels (by a couple of weeks) of their originally released July 8th Security Advisory providing security updates to protect users against Windows Domain Name System (WDNS) spoof threats.

Again, we strongly suggest patching systems affected by the DNS Flaws (pursuant to your vendor supplied updates), most recently revealed by Dan Kaminsky, Director of Penetration Testing at security consultancy IOActive). We also heartily recommend the utilization of OpenDNS for your name serving needs. IOActive also is providing source code for detection of this pernicious, now in the wild, DNS Cache Poisoning Flaw.

Kaminsky Reveals Exploit During BlackHat Webinar [Infosecurity.US]

Posted: 25 Jul 2008 03:08 PM CDT

According to a posting by CNET blog reporter Robert Vamosi, Dan Kaminsky (Director of Penetration Testing at security consultancy IOActive) has revealed (during a pre-BlackHat webinar yesterday) the DNS Exploit he warned of on July 8th, and so heavily covered in the security blogs recently.

ICSA Labs: New White Papers Released [Infosecurity.US]

Posted: 25 Jul 2008 02:21 PM CDT

PCI Council announces DSS Lifecycle [Branden Williams' Security Convergence Blog]

Posted: 25 Jul 2008 10:28 AM CDT

I have to admit, I needed some coffee and cobweb remover to decode this message from the Council this morning. They posted their Lifecycle Statement on the standard yesterday. After reading it a few times (and having a cuppa), I believe what they are trying to say is that there will be a new version of the PCI-DSS every 24 months. If you see a major number incremented (say 2.0 from 1.X), it is considered a new version. If a minor number is incremented (say 1.1 to 1.2) it is a revision. Regardless, you still have to do it and you will have some amount of time to implement.

The next revision is due out on October 1, 2008 and will be version 1.2.

To whomever drafted this document, will you please read William Zinsser's On Writing Well, and Paula Larocque's The Book on Writing -- The Ultimate Guide to Writing Well. Seriously guys, simplify your writing. There are many non-native speakers trying to digest this stuff, and I guarantee the first sentence in that release has them so confused that many just tossed it aside.

Ethics, Information Security Research, and Institutional Review Boards [Emergent Chaos]

Posted: 24 Jul 2008 09:46 PM CDT

Several weeks ago, in "A Question of Ethics", I asked EC readers whether it would be ethical "to deliberately seek out files containing PII as made available via P2P networks". I had recently read an academic research paper that did just that, and was left conflicted. Part of me wondered whether a review board would pass such a research proposal, or whether the research in the paper was even submitted for review. Another part told me that the information was made publicly available, so my hand-wringing was unwarranted. In the back of my mind, I knew that as information security researchers increasingly used the methods of the social sciences and psychology these ethical considerations would trouble me again.

Through Chris Soghoian's blog post regarding the ethical and legal perils possibly facing the authors of a paper which describes how they monitored Tor traffic, I realized I was not alone. Indeed, in a brief but cogent paper, Simson Garfinkel describes how even seemingly uncontroversial research activities, such as doing a content analysis on the SPAM one has received, could run afoul of existing human research subject review guidelines.

Garfinkel argues that strict application of rules governing research involving human subjects can provide researchers with incentives to actively work against the desired effect of the reviews. He further suggest thats


society would be better served with broader exemptions that could be automatically applied by researchers without going to an IRB [Institutional Review Board].

My concern at the moment is with the other side of this. I just read a paper which examined the risks of using various package managers. An intrinsic element of the research behind this paper was setting up a mirror for popular packages under false pretenses. I don't know if this paper was reviewed by an IRB, and I certainly don't have the expertise needed to say whether it should have been allowed to move forward if it was. However, the fact that deception was used made me uneasy. Maybe that's just me, but maybe there are nuances that such research is beginning to expose and that we as an emergent discipline should strive to stay on top of.

[Update: The researchers whose Tor study was examined by Soghoian have posted a portion of a review conducted by the University of Colorado:


Based on our assessment and understanding of the issues involved in your work, our opinion was that by any reasonable standard, the work in question was not classifiable as human subject research, nor did it involve the collection of personally identifying information. While the underlying issues are certainly interesting and complex, our opinion is that in this case, no rules were violated by your not having subjected your proposed work to prior IRG scrutiny. Our analysis was confined to this IRG (HRC) issue.

This conclusion is in line with Richard Johnson's comment below, that this research was not on people, but on network traffic.]

On The Lam ‘Spam King’ Kills Self, Wife, Daughter, Wounds Another [Infosecurity.US]

Posted: 24 Jul 2008 09:41 PM CDT

Yesterday afternoon brought unfortunate news, via the Denver Post, of the recently convicted, so-called ‘Spam KingEddie Davidson. Evidence shows the convicted felon shot his spouse and child and wounded another teen female before turning the gun on himself. On the lam for 96 hours from a federal minimum-security lock-up, he had managed the escape with the (alleged) assistance of his now deceased, wife.

Clash Of The Titans [Napera Networks]

Posted: 24 Jul 2008 04:42 PM CDT

Yesterday’s well hyped NAC debate over at Network World certainly received some attention. I was only able to check in between meetings but they posted an entire transcript and it makes interesting reading.

In one corner, Joel Snyder, well respected NAC expert and Interop regular. I’m partial towards Joel because he has been a voice of reason in the networking space for many years, and his work on NAC and NAP is second to none.

In the other corner, Richard Stiennon, self-titled ‘ Security Industry Innovator’ who regularly exclaims ‘NAC is dead’ to anyone who reads his column at Network World. I don’t believe I’ve ever met Richard, but he was previously at Gartner (where he exclaimed IDS was dead), worked at Fortinet and Webroot for a brief period and recently joined an Australian startup doing MSS. I was doing MSS in Australia in 1995 as it happens, so I guess I must be a security innovator as well.

The debate itself got off to an early start with an argument over the definition of NAC. Richard was pretty obtuse and I think Joel did well to stay on topic. Ultimately a lot of what Joel said struck a chord with me - for example.

Every NAC deployment I’ve looked at, and everyone I’ve heard about, has a surprise factor…The surprise is how UNcompliant PCs are with the host AV. Talk to the most Microsoft-savvy IT departments in the world. They’ll tell you they were astonished at how low their compliance level was.

This is exactly what we’ve seen in the field at Napera. We regularly see the surprise factor within a few minutes after plugging in an N24. Whether it’s the endpoint software that IT purchased but nobody is actually running, the PC’s that are months behind on patches or the devices on the network the IT admin had no idea were even there, the ability to see and then manage this situation is what our customers are passionate about. A customer I spoke with yesterday in the health care field said it was like having a microscope on his network for the first time.

Other folks have weighed in on the debate. Alan Shimel claimed a KO by Joel in the first round. Alan, this is one of those times where I can do nothing but agree. The outcome of the debate is clear and even Richard’s former colleagues at Gartner agree there is a healthy NAC market - Joel gets it, and Richard doesn’t. Thanks to Network World for staging the debate!

NAT/PAT Configuration and DNS Cache Poisoning Solutions [Infosecurity.US]

Posted: 24 Jul 2008 04:33 PM CDT

US-CERT has issued a security advisory, detailing issues with NAT/PAT and it’s affect on mitigating the widespread DNS Cache Poisoning vulnerability. The agency also issued a Vulnerability Note, at the beginning of the month, regarding this issue…we cannot emphasize too much as to how important it is to pay close attention to your network.

In essence, US-CERT has advised the public to implement the following:

* Place the nameserver outside of the NAT/PAT device in the network infrastructure.
* Configure the NAT/PAT device to perform source port randomization.
* Configure the NAT/PAT device to preserve the source port assigned by the nameserver.

MindshaRE: Cross References in IDA [DVLabs: Blogs]

Posted: 24 Jul 2008 04:29 PM CDT

Posted by Cody Pierce

I would say besides the navigation keys (Esc, Enter, Ctrl-Enter, Arrows), the most often sequence I use is X / Ctrl-X.  That's right, cross references.  Okay, maybe I use others just as much, but for today's MindshaRE we will be discussing cross references in IDA (I wanted to add some impact to the topic).  I will briefly cover what they are, the different types of references, and share some scripts utilizing xrefs that hopefully make your day easier.

MindshaRE is our weekly look at some simple reverse engineering tips and tricks.  The goal is to keep things small and discuss every day aspects of reversing.  You can view previous entries here by going through our blog history.

Cross references in IDA are invaluable.  They show any code, or data, which reference or are referenced from your current position within the binary.  This can be in the form of function references, local variable cross references, or data xrefs.  When navigating a binary one of the most common uses is function cross references.  We need the ability to see what other pieces of code may hit the one we are interested in.  This is exactly what xrefs are for.

Lets say we want to see all functions that call the following routine:
.text:76F2CA90 Dns_GetRandomXid proc near  ; CODE XREF: Dns_BuildPacket+79
.text:76F2CA90                             ; Dns_NegotiateTkeyWithServer+20C
.text:76F2CA90
.text:76F2CA90 call    Dns_RandGenerateWord
.text:76F2CA95 jmp     loc_76F23D8A
.text:76F2CA95 Dns_GetRandomXid endp
Pressing Ctrl-X (JumpXref) when are cursor is on the functon name we get the following dialog listing the cross references.



Note that references are also visible as automatic comments under the function name.  This is useful for enumerating xrefs at a glance. The number of references shown is configurable through the SHOW_XREFS variable in IDA.CFG.

Looking at the dialog box we see four columns, Direction, Type, Address, Text.  The first column denotes which direction in the binary the caller is located. Up being before the current function, at a lower address. Down being after the function, at a higher address.  Type, indicates what type of cross reference we are looking at.  In our example all our references are of type "p" meaning procedure, later we will see others also exists such as write, read, and offset. Address is the location of the cross reference.  In this instance the address is the location of the call to our current function.  In our example we have symbols so it is an offset from that symbol, but if we didn't have symbols it would be a typical hex address.  Text, is the text that appears at our references address.  For this example we see a typical call, others may show the instructions reading or writing to our cross reference.

Having symbols helps us easily identify the purpose of a function.  Cross references help us identify the path code takes to a function.  As an example I created an IDA Python script called get_recursive_xrefs.py that takes matters one step further.  This script will take a function, and recursively grab cross references to the function.  This gives us a calling tree as far back as possible to the current function.  Running the script produces the following sample output:
Getting xrefs to 76f39c9f (Dns_RandGenerateWord)
========================================================================
Dns_RandGenerateWord
 Dns_GetRandomXid
  Dns_BuildPacket
   Query_SingleName
    Query_Main
     Query_InProcess
      DnsQuery_W
       privateNarrowToWideQuery
        DnsQuery_UTF8
         DnsFindAuthoritativeZone
          DoQuickFAZ
          CompareTwoAdaptersForSameNameSpace
         DnsQuery_A
        ShimDnsQueryEx
         CombinedQueryEx
          DnsQueryExW
    QueryDirectEx
     Dns_FindAuthoritativeZoneLib
      Dns_PingAdapterServers
       DnsModifyRRSet_Ex
        DnsRegisterRRSet_Ex
         DnsModifyRRSet_Ex
          DnsRegisterRRSet_Ex
     Dns_UpdateLib
      Dns_UpdateLibEx
       DnsUpdate
        DoQuickUpdateEx
         DoMultiMasterUpdate
          DoQuickUpdate
   Dns_NegotiateTkeyWithServer
    Dns_DoSecureUpdate
     sub_76F3BB68
      Dns_UpdateLib
       Dns_UpdateLibEx
        DnsUpdate
         DoQuickUpdateEx
          DoMultiMasterUpdate
As you can see we get a nice list of calling functions.  In an instant I can find what might create transaction IDs in Windows.

I mentioned earlier that functions are certainly not the only thing you can cross reference.  When in a function we can also reference local or global variables in an operand (JumpOpXref).  Lets look at the next cross section of assembly.
.text:76F39CCC inc     edi
.text:76F39CCD push    edi
.text:76F39CCE push    offset aMicrosoftStron ; "Microsoft Strong Crypto"...
.text:76F39CD3 push    ebx
.text:76F39CD4 lea     eax, [ebp+var_4]
.text:76F39CD7 push    eax
.text:76F39CD8 call    ds:_imp__CryptAcquireContextA
.text:76F39CDE test    eax, eax
.text:76F39CE0 jnz     short loc_76F39CE5
Putting our cursor on the local name "var_4" at address 76F39CD4 and pressing "X" gives us a familiar dialog box.



We discussed all of the columns already, the only new information is the "w", and "r" types.  I alluded to this earlier but it simply means the instruction either reads, or writes to the target variable.  This can be extremely helpful in identifying when a variable is initialized.

Lets move to a different section in the binary.  Looking through the .data section of most binaries can be interesting.  We obviously see lots of global addresses that are used to hold values.  Knowing both the x-ref shortcuts (Ctrl-X, X) can get us the references to those locations.  But lets look at another common occurrence in the data section.  Vtables are accessed via the data section in most cases.  The problem is the only xref from the data section will be at the beginning of the vtable.  However if we do a xref on each function in the binary we can determine a function that is called from the data section.  For instance the xrefs to the function MxWireRead look like this.



Following those show us an obvious table of handlers.
.data:0104E300 RRWireReadTable ; DATA XREF: Wire_CreateRecordFromWire+43
.data:0104E300   dd offset CopyWireRead 
.data:0104E304   dd offset AWireRead
.data:0104E308   dd offset PtrWireRead
.data:0104E30C   dd offset PtrWireRead
.data:0104E310   dd offset PtrWireRead
.data:0104E314   dd offset PtrWireRead
.data:0104E318   dd offset SoaWireRead
.data:0104E31C   dd offset PtrWireRead
.data:0104E320   dd offset PtrWireRead
.data:0104E324   dd offset PtrWireRead
.data:0104E328   dd offset CopyWireRead
.data:0104E32C   dd offset CopyWireRead
.data:0104E330   dd offset PtrWireRead
.data:0104E334   dd offset CopyWireRead
.data:0104E338   dd offset MinfoWireRead
.data:0104E33C   dd offset MxWireRead...
...
This is clearly a tedious process, perfect for automating with a script. So I wrote an IDA Python script called find_data_section_functions.py which runs through every functions xrefs that originate from the data section producing the following example output:
0x0104e164: AFileRead
...
0x0104e234: AWireWrite
0x0104e1d0: AaaaFileRead
0x0104e030: AaaaFlatRead
0x0104df60: AaaaValidate
0x0104e1e8: AtmaFileRead
0x0104e048: AtmaFlatRead
0x010135a8: ControlCallback
...
0x0104e0f4: KeyFlatWrite
0x01013acf: Log_PrintRoutine
0x01006f9c: MIDL_user_allocate
0x01006fa0: MIDL_user_free
...
0x0104edb4: MxFileWrite
0x0104edc0: MxFileWrite
0x0104edcc: MxFileWrite
0x0104dffc: MxFlatRead
0x0104e008: MxFlatRead
0x0104e014: MxFlatRead

...
0x01006ff0: R_DnssrvComplexOperation
0x01007004: R_DnssrvComplexOperation2
0x01006ff4: R_DnssrvEnumRecords
0x01007008: R_DnssrvEnumRecords2
0x01006fe8: R_DnssrvOperation
0x01006ffc: R_DnssrvOperation2
0x01006fec: R_DnssrvQuery
0x01007000: R_DnssrvQuery2
...
0x01017044: freeDpInfo
0x01018b41: freeServerObject
0x0101736d: freeStringArray
0x0101aa4f: pluginAllocator
0x0101aa4a: pluginFree
0x0104ed00: processPrimaryLine
0x0101b67d: recurseConnectCallback
0x01041e90: respondToServiceControlMessage
0x0104eea4: startDnsServer
0x0104d20c: sub_1020330
0x0104d214: sub_1020330
0x0102f8c7: updateForwardConnectCallback
0x0103606d: zoneTransferSendThread
Finally, there are three additional graphs IDA provides the user for viewing cross references.  These graphically display the same cross references we covered, and can even display a down graph showing all the functions your current function may call.  These can be located in the Views->Graphs->Xrefs to/Xrefs from/User xrefs chart.  While these may be handy they suffer two problems.  First and foremost you can't navigate them.  That means you can see an interesting function but have to switch back to IDA and manually type the address in to jump there.  Secondly, it can be unwieldy often times showing thousands of functions.  This can be limited using the User xrefs chart and limiting the recursion depth, but i would rather just run a script I can interact with.  Play around with the graphs, you may find them very helpful.

There are many many other uses for cross references.  I can't possibly cover everything in this little post.  I hope this has been a good intro to them, or maybe sparked some ideas of your own.  Leave a comment if you have any novel uses, or other useful hints.  I hope you enjoyed this weeks MindshaRE.

-Cody

DNS Vulnerability: Second Exploit Now Published [Infosecurity.US]

Posted: 24 Jul 2008 03:41 PM CDT

Metasploit has released a second domain name server exploit, this time authored by the Computer Academic Underground (CAU). Also reported on at Wired’s ThreatLevel blog. Quite frankly, there are enough unpatched systems extant, so we think the first exploit will do quite nicely….none of this, “Thank you Sir, may I have another….”

1 comment:

Unknown said...

Hi! Are you having problems finding right exam guide for cisa certification? I was having such problems few days ago. And I consulted with this site because their CISA certification program requires you to complete the Continuing Professional Education (CPE) Policy so that you can maintain a sufficient level of knowledge and expertise in the Information Systems audit, control and security field. This is proved to be really helpful to me. Thanks. . cisacertification