Sunday, August 10, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

A Real Modbus Scanner [Digital Bond]

Posted: 10 Aug 2008 07:43 AM CDT

Mark Bristow gave a presentation on his ModScan tool at Defcon. Control system community attendees where underwhelmed, which is not necessarily a bad thing. Evidently this tool did little more than identify if there was Modbus server on TCP/502 and discover the slave ID.

What is odd about this is there has been a much more full featured Modbus scanner available for at least two years. Under an I3P program, the University of Tulsa developed a Modbus scanner that not only identifies Modbus servers, but also does a complete function code scan. After that is scans the coils and registers to determine the points list.

We played around a bit with it last year, and it worked will on some Modbus servers, but not all. Where it failed was it did not provide consistent results on certain PLC’s, mainly because of delay issues in a SCADA network as opposed to a lab or DCS. I believe Tulsa has done more testing and addressed these issues.

The black/gray hat events seem to be a bit desperate to get a “SCADA” talk in the agenda that quality control suffers.

Squadron of Justice: protecting the digital realms for America [StillInSecure, After All These Years]

Posted: 10 Aug 2008 05:53 AM CDT

Squadron_of_justice

A team of superheroes known as "the Squadron of Justice" protect America with their awesomeness and superpowers!

Finally, a team of heroes has decided to defend all that is good and just on our networks. It's not anymore Marty Roesch of Snorting fame, it's not Markus Ranum, it's not Thomas Ptacek, it's not me either.

It's the Squadron of Justice.  Stay tuned.

Feedburner Security bloggers network hacked [Hackers Center Blogs]

Posted: 09 Aug 2008 06:00 PM CDT

It's blackhat days, we all know. And Alan's blog has been hacked. More precisely the whole security bloggers network at feedburner has been hacked, badge modified, image modified and injuries added.


I realized while visiting my own blog, and viewing the new badge image:

 

There was no need to add those horrible a** [...]

Weekend Off [Infosecurity.US]

Posted: 09 Aug 2008 08:38 AM CDT

For the second week in a row, we have shuttered the Infosecurity Cottage, and are re-creating via the catamaran, ah…summertime in the Pacific Northwest!

Posts commence Monday morning.

links for 2008-08-09 [delicious.com] [Andrew Hay]

Posted: 09 Aug 2008 08:00 AM CDT

Defcon day 1 [Kees Leune]

Posted: 09 Aug 2008 07:25 AM CDT


After a long day yesterday, which featured 12 hours of travel, 3 hours of time difference, 4 hours of sleep, 2 hours of pre-con breakfast, 6 hours of convention and 4 hours of post-convention, I am now awake at 5am (pacific time) in my hotel room. Since this as good a time as any to get my thoughts together, I figured I'd try to get some itemized comments out

  • Kennedy is a fairly unpleasant airport when there are heavy storms in the vicinity.
  • I'm glad I got to see parts of Vegas, but I don't think I need to come back here as a tourist.
  • The general atmosphere at Defcon is great. People are very friendly, willing to communicate and share, and it is a general geek Nirvana.
  • As with most conferences/conventions that I go to, the talks are borderline acceptable. Sometimes they're a little entertaining, sometimes they provide some nice nuggets of insight, but I haven't been at any that are ground-breaking.
  • Rumor has it that the badges were not appreciated all too much by customs.
  • Just for meeting the right people alone, Defcon is worth going to.
  • Don't be paranoid. Oh wait;FAIL!
I am keeping a fairly up-to-date feed on twitter. Daylight is breaking. Better get some more sleep.

Why Can't Hackers Spell? [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 09 Aug 2008 12:33 AM CDT

Seriously? Why? If you haven't been keeping score, the 'hackers' who set of various viruses, worms and other malware over the past several years just can't seem to spell right, and clearly don't have any regard for proper grammar...

As I was reading about this latest FaceBook "worm"... I came across an article on TechCrunch that details some of the messages being left on the "wall" of hacked users. The messages are hillarious..
."LOL. You've been catched on hidden cam, yo"
Who writes like that?

This isn't the first time, and definitely won't be the last time some [presumably foreign] hackers have had incredibly poor grammar and spelling... oh well.

Twitter Updates for 2008-08-08 [.:Computer Defense:.]

Posted: 08 Aug 2008 10:59 PM CDT

  • Figuring out what to do tonight. Ideas? Let me know! #
  • At dos caminos #
  • At dos caminos #
  • At dos caminos #

Powered by Twitter Tools.

Friday News and Notes [Digital Bond]

Posted: 08 Aug 2008 06:14 PM CDT

  • Rep James Langevin, Chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, sent in a 5-minute video keynote to WeissCon. You can view it over at Joe’s Unfettered blog. Talks about a “lackadaisical attitude among the private sector when it comes to securing this infrastructure”.
  • I’ve been trying to find a credible link or on the record source to explain the activity to stop or modify Sergey Bratus’s presentation at Black Hat without success. The story was active in emails and phone lines this week.

Nessus WMI Compliance Checks [Digital Bond]

Posted: 08 Aug 2008 10:47 AM CDT

Tenable recently announced an additional feature for the Nessus compliance checks — support for WMI (Windows Management Instrumentation). I have used WMI for some scripting in the past and even played with WMIC. Still I wasn’t sure how or if this capability would help with Bandolier so I decided to use the WMI Object Browser to do some investigation.

The first thing that caught my eye was the Win32_UserAccount object group. Since most control system applications leave some default accounts behind, verifying that they have been removed is an important part of an audit. In *nix OSes, we’ve been able to do this very easily with the passwd file but it has been a challenge on Windows. Could WMI and Win32_UserAccount give us a reliable equivalent on the Windows side? I was disheartened by my first tests which looked like this:

<custom_item>
type: WMI_POLICY
description: “Check for default account (operator1)”
value_type: POLICY_TEXT
value_data: “operator1″
wmi_namespace: “root/CIMV2″
wmi_request: “SELECT Name FROM Win32_UserAccount”
wmi_attribute: “Name”
wmi_key: “Name”
wmi_option: WMI_ENUM
check_type: CHECK_NOT_EQUAL
</item>

The problem: the check always reported compliant, even when the account existed. Since there were other accounts that were not equal to operator1, it passed. The check type “CHECK_NOT_EQUAL” was functioning as designed, but not how I wanted. Thanks to some guidance from our friends at Tenable, I realized that what I need to do is combine CHECK_EQUAL_ANY with some condition checking like this:

<if>
<condition type: “or”>
<custom_item>
type: WMI_POLICY
description: “Check for default account (operator1)”
value_type: POLICY_TEXT
value_data: “operator1″
wmi_namespace: “root/CIMV2″
wmi_request: “SELECT Name FROM Win32_UserAccount”
wmi_attribute: “Name”
wmi_key: “Name”
wmi_option: WMI_ENUM
check_type: CHECK_EQUAL_ANY
</item>
</condition>

<then>
<report type:”FAILED”>
description: “A default account (operator1) exists”
</report>
</then>

<else>
<report type:”PASSED”>
description: “The default account (operator1) does not exist”
</report>
</else>
</if>

Success! This yielded the results we were after. We now have a more reliable way to test for default accounts on Windows servers and workstations.

I plan to spend some more time with WMI to determine what other information may be useful for Bandolier checks and will keep you updated.

Clarified's Visualization of DNS Patching [The Falcon's View]

Posted: 08 Aug 2008 09:16 AM CDT

Check out this cool video from Clarified Networks showing the progress of patching against the Kaminsky DNS vulnerability. Hat tip to O'Reilly Radar for the find......

Another update... [The Security Shoggoth]

Posted: 08 Aug 2008 09:02 AM CDT

Unfortunately, I'm not at BlackHat/Defcon this week so I don't have any really cool stories about 0-day attacks, vendor parties or Vegas. However, its been a week since my last post so I thought I'd put something on. (In reality I'm avoiding writing a report.)

Khallenge has come and gone. I was able to get through the first level in 36 minutes. Not bad, but I should have been able to do better than that so I'm personally disappointed. The level 1 password was XOR's encoded so it was pretty easy to find once you found the right section of code. I got level 2, but due to other pressing issues (ie. work) I was unable to finish it. I'm pretty sure the password was RC4 encrypted, but I'm not 100% sure. I'll have to wait for F-Secure to post the results.

One funny thing did happen during the contest. At one point something happened to the Khallenge website and the directory index came up instead of the page. Using that I was able to download all of the contest binaries. F-Secure fixed it pretty quickly and changed the directories the binaries were in.

Because of agent0x0, who is living it up in Vegas as we speak, I've become addicted to Twitter. I have to admit I was skeptical at first, but it is a great tool for information sharing and meeting others in the field, as well as just fooling around. Whats worse is that I have my phone hooked up to it now. :) If you're on it, follow me.

Clear® Registered Traveler Customer Apology Letter [Infosecurity.US]

Posted: 08 Aug 2008 08:31 AM CDT

Clear® Registered Travel Program and Verified Identity Pass, Inc. CEO Stephen Brill released the following letter to his customers today. In statements made in the email, he makes it quite clear that no one logged into the system, so no data was compromised! FAIL.

Evidently he is unaware of digital imaging techniques and tools. Someone please give him a call and relieve him of his information security security mis-conceptions and ask him to demand full disk encryption on all systems at Clear®….and now the letter:

Dear REDACTED,
We take the protection of your privacy extremely seriously at Clear. That’s why we announced on Tuesday that a laptop from our office at the San Francisco Airport containing a small part of some applicants’ pre-enrollment information (but not Social Security numbers or credit card information) recently went missing. None of your information was in any way implicated. However, we were prepared to send those applicants and members who were affected the appropriate notice on Tuesday detailing that situation.

Before we could send out that notice, the laptop was recovered. And, we have determined from a preliminary investigation that no one logged into the computer from the time it went missing in the office until the time it was found. Therefore, no unauthorized person has obtained any personal information.

Again, none of your personal information was on the computer in any form, but we nonetheless wanted to give you details of the incident that could have affected others applying for Clear memberships because the incident involves Clear’s privacy and security practices and policies.

We are sorry that this theft of a computer containing a limited amount of applicant information occurred, and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach. We have learned from this incident, and we have suspended enrollment processes temporarily until all pre-enrollment information is encrypted for further protection. The personal information on the enrollment system was protected by two separate passwords, but Clear is in the process of completing a software fix - and other security enhancements - to encrypt the data, which is what we should have done all along, just the way we encrypt all of the other data submitted by applicants. Clear now expects that the fix will be in place within days. Meantime, all airport Clear lane operations continue as normal.

As you may know, our Privacy Policy states that we will notify you of any compromise of your personal information regardless of whether any state statute requires it. This letter is a good example of our policy: no law requires that we notify you of this incident because our investigation of the recovered laptop revealed no breach and because in any event none of your own information was affected. But we think it’s good practice to err on the side of good communication with all Clear members, especially when, in this case, we did make a mistake by not making sure that limited portion of information was encrypted.

Please call us toll-free with any questions at (866) 848-2415. Again, we apologize for the confusion.
Sincerely,
Steven Brill
Clear CEO

P.S. A reminder: One of Clear’s unique privacy features is that all members and applicants are given an identity theft protection warranty which provides that, in the unlikely event you become a victim of identity theft as a result of any unauthorized dissemination of your private information by - or theft from - Clear or its subcontractors, we will reimburse you for any otherwise unreimbursable monetary costs directly resulting from the identity theft. In addition, Clear will, at its own expense, offer you assistance in restoring the integrity of your financial or other accounts. So had there been any actual compromise of your personal information, you would have been additionally protected.

This message was sent to Clear member ‘REDACTED‘. This email is about your Clear account, and you may not opt out of receiving such communications. You may choose to opt out of non-critical communications by going to REDACTED.
NOTE: If you opt out, you will not receive important updates offered by Clear. For more information on our privacy policy, please go to http://www.flyclear.com/footer/privacy_online.html.
Verified Identity Pass, 600 Third Avenue
10th Floor
New York, NY  10016
www.flyclear.com

Blogging Blackhat, Day Two [Digital Bond]

Posted: 08 Aug 2008 02:00 AM CDT

The second and final day of Blackhat has come and gone.  Some good presentations today, and probably more interesting to the critical/control system area of security.  The activity at Defcon is already starting to pickup, and lots of parties going on tonight from the major and minor players and generally a lot of winding down for the presenters.

I started the day with a great presentation from Felix Lindner on forensics in Cisco IOS.  Essentially examining full memory dumps, and some of the configuration and debugging techniques available on IOS.  This is something that I think we could see applied to PLCs, assuming the PLC has some sort of rudimentary debugging interface it could be trivial to checksum the RAM/ROM and detect changes, both intentional and unintentional.  Also interesting pickup from the presentation is that there are estimated to be somewhere in the neighborhood of 100,000 different IOS builds out in the wild and approx 15,000 of which are currently supported by Cisco.

Next up was Billy Hoffman's presentation of JavaScript techniques for circumventing automated analysis tools.  This presentation was near and dear to me and some of my previous research was creating an analysis tool called Caffeine Monkey that was mentioned quite a bit in the presentation.  Hoffman does good work and makes me more and more paranoid every time I use a web browser.  JavaScript is among the most common attack tools used today, Flash is on its way and I bet we see attackers leveraging the additional functionality there soon.

Travis Goodspeed has done some interesting work on dumping and reprogramming the firmware on the MSP430 microcontroller.  Fascinating research, but honestly I didn’t have enough of an electrical engineering background to completely understand it, lots of waveforms.

The SCADA fuzzing presentation was interesting.  There was a lot of buzz leading up to the talk and rumors floating around about vendor lawyers and court orders, but in the end the presentation was given.  Essentially Sergey Bratus of Dartmouth College, working with TCIP was able to cause a lot of damage to some real SCADA systems.  With no real knowledge of the proprietary protocols Sergey was able to use some compression techniques along with some evolutionary fuzzing to completely crash the system.  No details of exploits and such were given, and the presenters were careful not to give any real details about the vendors affected.  There is quite a mess of protocols floating around these critical systems and anyone who’s looked at them knows that they aren’t exactly the cleanest/clearest, and the only solution to that is open and peer reviewed standards.  A lot of side talk after the presentation about asset owners pushing vendors, and government intiatives/requirements.

Lastly, there was a big announcement from Microsoft.  I was unable to attend as I was in the SCADA talk above, but it appears that they’re going to begin sharing information with customers and partners on a more official basis.  From the Q&A that I caught the last bit of there seemed to be hints of MS working with 3rd party software developers to fix vulnerabilities in their software running on the Windows platform.  Few details were given, and they were clear that they wouldn’t be acting as a CERT, but clearly they’re preparing to be more involved with the process.  I have to think that they’re going to be most interested in Enterprise software, but without a doubt there will be some interested in critical systems as well.  It will be interesting to see how the program shapes up over the coming months.

Thats all for now, the chaos of Defcon really gets going tommorrow, should be some interesting stuff, and one very interesting on involving cell phones.

Links for 2008-08-07 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 08 Aug 2008 12:00 AM CDT

Twitter Updates for 2008-08-07 [.:Computer Defense:.]

Posted: 07 Aug 2008 10:59 PM CDT

  • Booze is next to the nCircle booth. Nice! #
  • Trying to figure out where to go... Suggestions #

Powered by Twitter Tools.

Black Hat 2008 Day 2: Web 2.0 mayhem [Security Incite Rants]

Posted: 07 Aug 2008 08:14 PM CDT

As you are reading this, my flight back to ATL should be climbing up through 10,000 feet on my way back home. Another year, another Black Hat, another set of things that are sure to kill us somewhere down the line, another few parties, and another frantic ride back to the airport.

Day 2 was a bit more sedate than Day 1, though that may have more to do with my hangover (that I finally chased away about 3 PM). I also skipped the keynote, though I heard it was pretty good. Here's a brief rundown of the sessions I did today.

  • Satan is on my friends list: This session went deep into some of the tricks you can use on Facebook, MySpace, and LinkedIn to make the application do unexpected things. The most interesting thing is that the attacks were shockingly simple. No wonder these social network sites are such havens for malware, leveraging XSS, CSRF and all sorts of other attack vectors. Shawn Moyer and Nathan Hamiel also ran a little experiment in adding Marcus Ranum (with his permission) to LinkedIn and added about 60 connections within a day. One of the last recommendations was to make sure you had a profile on each of the sites. Not because you plan to use it, but because you should get one out there before the bad guys do. At least the inimitable Ranum now has a profile.
  • No More Signatures: Defending Web Apps with ModProfiler: I was pretty disappointed with this session from Breach's Ivan Ristic and Ofar Shezaf. They spent the first 45 minutes explaining what a web application firewall is and some specifics about ModSecurity (the open source version). I was there to hear about ModProfiler, which is a new project focused on more effectively leveraging a positive (if it's not explicitly allowed, then it's not allowed) web application security model. They only spent maybe 30 minutes on that and didn't show the code or a demo or anything. Maybe they did in the last 15 minutes, but I left before then. You shouldn't make people wait for an hour to get to the technology mentioned in the title of the pitch.
  • Get Rich or Die Trying: Jeremiah did a great job going over quite a few scams that really leverage web technologies, kind of. Most took advantage of weaknesses in the web application, as opposed to actually security flaws. And to see some of the real simple stuff (like having press releases accessible before they hit the wire by figuring out the naming sequence), and how one woman made about $400,000 by selling merchandise that QVC shipped her even after she canceled the transaction. So, the moral of the story is that company's should probably pay their Q/A people a lot more money (or get new ones) to find this stuff before an application goes live.

And that's all she wrote. Back to a regular publishing schedule next week. Enjoy your weekend.

 

Fun Reading on Security - 6 [Anton Chuvakin Blog - "Security Warrior"]

Posted: 07 Aug 2008 08:01 PM CDT

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #6, dated August 7th, 2008.

  1. DNS + Karma = Boom! Enuf said. Also, hear Pete Linstrom squeal.
  2. Fun essay on "blocking" and risk. Is it our job to stop'em from using Facebook?
  3. MS Exploitability Index. Smart ... or misguidedly focused on "vulnerability release" (and not creation)
  4. Chip-n-PIN, a PCI killer? I don't think so!
  5. Mike R revisits "good enough security" - read it, then review your IR plans (...for you will be 0wned)
  6. Very fun RSA survey here; data leakage beats malware again, people still not report incidents (to whom???)
  7. More and more and more people point at idiocies of academic security research... Read the whole w00t 08 thread here. Weep. Laugh.
  8. Neosploit has a bad quarter... breaks support "contracts" ... shuts down? Ah, the economy :-)
  9. Awesome stuff from  Richard Bejtlich: CAER.
  10. "The Network Firewall is a Consensual Hallucination" :-)
  11. More GRC-ball-kicking: here, here ("IT-GRC "vendors" are not IT-GRC vendors") - both are pretty insightful for GRC-lovers and GRC-haters)
  12. More SIEM-ball-kicking: here ("underwhelming","ridiculous", "missing the point"), here ("dead ...unless","cripple")
  13. Fun DLP portal launches.
  14. Final word (?) on TerryChilds-gate here. "When management starts controlling the actions of admins, things start to fall apart." Huh? When management loses control of the business, it dies. Folks, IT vs IT security gap IS real. I never quite believed it, but this taught me a lesson. Some common security sense for a change (also here).

Enjoy.

MindshaRE: Anti-Reversing Techniques [DVLabs: Blogs]

Posted: 07 Aug 2008 06:39 PM CDT

Posted by Cody Pierce

Anti-reversing tricks have been around for a long time.  They most commonly occur in malware or spyware applications.  However, in recent times more applications are incorporating them into their code.  This might be to thwart reversing of intellectual property, or perhaps modification of the binary at run time.  So today we take a quick look at some of the most common categories anti-reversing techniques fall into, and a few examples from each type.

MindshaRE is our weekly look at some simple reverse engineering tips and tricks.  The goal is to keep things small and discuss every day aspects of reversing.  You can view previous entries here by going through our blog history.

Anti-reversing tricks are pieces of code added to a binary that deter a disassembler or debugger.  In general they serve no other purpose to the execution of the program.  These tricks generally fall into several categories that we will cover.  It is a good idea to have a cursory knowledge of several anti-reversing tricks in case you come into contact with them.  If you are doing malware reversing then knowing these is imperative.  Otherwise you could find yourself wasting hours going in circles.

I have come up with the following categories of anti reversing tricks.  I am aware that there are many more, but in general these are the ones I see most often.  Look for a more complete list and discussion in the links following this post.


- Debugger Presence Detection -


Detecting the presence of the debugger is probably the number one method of anti-reversing.  This is done via Microsoft APIs, internal structure flags, window titles, and anything that might tell an application it is being debugged.  Lets first look at some of the Windows API calls that will give us up quickly.

IsDebuggerPresent() is the most common API that is used to detect the presence of a debugger.  It is the easiest to use, returning true if we have a debugger connected, or false if we do not.  Here is an example.

004012E1 call IsDebuggerPresent
004012E6 test eax, eax
004012E8 jnz DebuggerPresent

An obvious way to get around this is to patch any jump that occurs when this returns true.  The problem with patching in this manner is you may be doing it hundreds of times.  Lets look at what the function IsDebuggerPresent in kernel32.dll does.

7C813093 IsDebuggerPresent proc near
7C813093    mov     eax, large fs:18h
7C813099    mov     eax, [eax+30h]
7C81309C    movzx   eax, byte ptr [eax+2]
7C8130A0    retn
7C8130A0 IsDebuggerPresent endp

A little understanding of the windows internals tells us that fs:18h is a pointer to our current threads TEB data structure.  Knowing this we can see that TEB+0x30 is a pointer to our process PEB.  I know this is a hassle, but at PEB+0x2 we can see what is being checked by IsDebuggerPresent.

0:002> dt _TEB 7ffdd000
ntdll!_TEB
   +0x000 NtTib            : _NT_TIB
   +0x01c EnvironmentPointer : (null) 
   +0x020 ClientId         : _CLIENT_ID
   +0x028 ActiveRpcHandle  : (null) 
   +0x02c ThreadLocalStoragePointer : (null) 
   +0x030 ProcessEnvironmentBlock : 0x7ffdb000 _PEB

0:002> dt _PEB 0x7ffdb000 
ntdll!_PEB
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0x1 ''

We can easily verify this like so

0:002> db poi(7ffdd000+0x30)+0x2 L1
7ffdb002  01

BeingDebugged is a flag that is set when a debugger loads, or attaches, to a process.  This is much easier to fix on a global scale.  In our debugger we can simply load/attach to a process and at initial breakpoint do the following.

0:002> eb poi(7ffdd000+0x30)+0x2 0x0
0:002> dt _PEB 0x7ffdb000
ntdll!_PEB
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0 ''

That will fix any calls to IsDebuggerPresent, or any checking of the internal PEB structure.

CheckRemoteDebuggerPresent is another API that is frequently used to check if a debugger is attached.  This one works slightly different than IsDebuggerPresent.  It takes a handle to a process (can be current process or remote process) and returns the value in the pointer passed to the function.  The way it works is by gathering process information via NtQueryInformationProcess.

7C859B35    lea     eax, [ebp+arg_0]
7C859B38    push    eax
7C859B39    push    7
7C859B3B    push    [ebp+arg_0]
7C859B3E    call    ds:_imp__NtQueryInformationProcess

This call will request the PROCESSINFOCLASS.ProcessDebugPort dword from the kernel.  If we have a debugger attached this will obviously not be zero.  Since this is handled by the kernel defeating it may be a little harder and might include patching, or running with a modified kernel32.dll (Which is what I have done before).

Another, more novel, way debuggers are detected is by checking for the presence of the debugger applications window name.  This sounds cheesy but it happens sometimes.  Calls to FindWindow() with the target debuggers window class name can tell the application if the specified window exists.  This is not as efficient as the others, since you have to specify the proper window name for each debugger you want to detect, but it is something to look out for.


- Timing checks -


Timing checks involve the checking of a time at a certain point in the binary with another later in execution.  The point of this is to utilize micro timers like clock cycles to detect that the process has paused for a fraction of time.  This can be very useful when dealing with clock cycles.  Breaking into the debugger alone will cause these values to be off quite a bit.  This can be done at say startup, and then each time a function is called it can check the delta for a possible debugger.  One example is the use of the Windows API GetTickCount() to grab the time since startup in milliseconds.  Pausing in execution will cause this value to skew since the tick count continues even when the debugger is broken in.

The one I see more often is the Intel instruction rdtsc (read double time stamp counter).  This instruction will pull off the clock cycles that have occurred since boot.  The low dword is stored in EAX and the high dword of this 64 bit number is stored in EDX.  The precision of this lends itself well to detecting how long execution has taken.  Lets look at an example of this.

Beginning of process execution.

xor eax, eax
xor edx, edx
rdtsc
mov dword_High, edx
mov dword_Low, eax

Later in process execution

xor eax, eax
xor edx, edx
rdtsc
sub edx, dword_High
cmp edx, dword_Delta
jnb DebuggerPresent

This example is obviously contrived, but in general this is how the timer works when detecting a debugger.


- Binary Modification Checks -


Binary modification happens all the time in a binary.  For instance when setting a break point in a function.  In a debugger you cannot tell that anything is different about the function, but in memory we are in fact modifying the instructions in the program.  As you may know break points are instructions inserted at the desired address (int3).  When execution hits this instruction it tells the process to break into a debugger.  So behind the scenes we have modified the code portion of a binary by inserting an interrupt instruction.

This is good for people trying to detect the presence of someone debugging the program, and people that may have patched the binary.  This is done by having a checksum for the code section of a binary and an associated routine for calculating and detecting if a function has been modified (via patching or a break point).

Another form of detecting writes or modifications of data is through guard pages, or page permissions.  Often times the application will set a guard page on the code section and any writes to that page will call through the SEH chain.  In most cases this is a minor nuisance, but an effective way of determining code section writing.


- Anti-Disassembling -


While most anti-reversing tricks are focused on live analysis they may also try and trick a static disassembler such as IDA.  A good example of this is inserting a jump in a function to a location that contains a valid instruction.  The problem occurs when IDA does its analysis. When IDA finds a jump, and a valid instruction at that jump, it will create a cross reference and disassemble the destination as code.  The problem is that during execution the jump will not be taken, and in fact the instruction being executed is at a different address.  This is easier to see in an example.

004010C0 sub_4010C0      proc near
004010C0    push    eax
004010C1    push    edx
004010C2    xor     eax, eax
004010C4    jnz     short loc_4010DB
004010C6    push    2DC431h
004010CB    pop     eax
004010CC    sub     eax, 0DB353h
004010D1    ror     eax, 10h
004010D4    xor     al, 60h
004010D6    ror     eax, 10h
004010D9    jmp     eax             ; 004010de
004010DB
004010DB loc_4010DB:
004010DB    mov     eax, 310FD3FFh
004010E0    and     edx, 0FFh

To IDA, this makes perfect sense.  We have a cross reference to loc_4010db and it disassembles to a valid instruction.  That has to be right, right? No not really.  The jump will never be taken because the xor will always be 0.  This should raise a red flag when you encounter an impossible branch.  If we follow it to the next branch (jmp eax) we can see what is really happening when the function is being executed.  I have added the comment above after calculating eax which takes us to the proper branch at 0x004010de.  As we can see this doesn't exists in IDA so we need to fix it.  Put your cursor over the invalid instructions at 0x004010db and hit "U" (Undefine).  This will turn all the code back into their byte representations.  Lets move to the real branch destination at 0x004010de and hit "C" (Make Code).  We should see the proper instructions appear like this.

004010D1    ror     eax, 10h
004010D4    xor     al, 60h
004010D6    ror     eax, 10h
004010D9    jmp     eax             ; 004010de
004010D9 sub_4010C0      endp
004010D9
004010D9 ; -----------------------------------
004010DB unk_4010DB      db 0B8h ;
004010DC                 db 0FFh
004010DD                 db 0D3h ;
004010DE ; -----------------------------------                        
004010DE    rdtsc
004010E0    and     edx, 0FFh
004010E6    mov     eax, edx
004010E8    shr     edx, 8

If you want you can go and fix up the function and make it all pretty, but in this case I didn't bother. This is a very typical anti-disassembler trick, and can occur in many different forms.

We have covered just a small snippet of anti-reversing techniques.  This is always a fun area of reverse engineering because its an arms race.  New tricks are invented every day, and new anti-tricks are discovered in response.  I certainly had to cut this discussion short as it is a much larger topic than I can handle in a single post.  I suggest reading through the following links to get a more in depth dissection of the most common anti-reversing techniques.

http://www.securityfocus.com/infocus/1893
http://pferrie.tripod.com/papers/unpackers.pdf

I hope you enjoyed this weeks MindshaRE.

-Cody

iPhone owns you : Warshipping [Hackers Center Blogs]

Posted: 07 Aug 2008 06:00 PM CDT

You have a package sitting in your shipping department addressed to "U R Owned, INC." ? Well, it may be David Maynor, CTO of Errata Sec, trying to Warshipping you !

In my opinion this is the most clever research I've heard so far in the war driving field. Basically David, is using an iPhone, empowered with passive sniffing tools to make a reconaissance tour of the inner [...]

SQL Injection Worms for Fun and Profit - slides and demo [GDS Security Blog]

Posted: 07 Aug 2008 05:11 PM CDT

Well, I’m offstage now having just presented my talk on “SQL Injection for Fun & Profit” at Blackhat in Las Vegas. One of the main aims of the talk was to provide more coverage on the mass SQL injection attacks that started earlier this year (and are still going on). The Internet Storm Center has some good discussion and coverage on this topic from earlier this year. The other aim was to point out some of the ways it could have, and probably will be in the near future, much much worse.

You can find a copy of the slides that were presented here, as well as a flash video of the demo that was done of the self replicating SQL Injection worm I wrote for this talk.

Knujon Reports “Suspended” Fake Pharmacy Sites Reappear at Previous Internet Providers [Infosecurity.US]

Posted: 07 Aug 2008 04:58 PM CDT

KnujOn’s Garth Bruen reports (in an email, and on the KnujOn site) suspended fake pharmacy sites have now reappeared at their previous internet providers:

At least 19 rogue pharmacy domains, sponsored through DIRECT INFORMATION
PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM (PDR), are back in operation with
the same content and at the same nameserver after being reported to
ICANN by the Registrar as "suspended." The nameserver is also
sponsored by PDR and is itself an unlicensed pharmacy site. This is an
example of a practice we have seen all too frequently where Internet
companies will remove sites temporarily for reported policy violations
only to restore them shortly afterwards. DIRECT INFO/PDR was rated the
9th Worst Registrar by KnujOn in terms of sponsoring spam sites
previously.
Full report here .
——————————

Collect, analyze, enforce, repeat…

Garth Bruen
KnujOn

Portknocking, SPA and SOA [Security Balance]

Posted: 07 Aug 2008 04:00 PM CDT

I already mentioned how I like stuff like port knocking. It can’t be used as replacement for other security measures, but it’s a nice way to keep important stuff out of radar. Imagine if you had some SSH daemons remotely accessible when that OpenSSL PRNG crisis started. I saw lots of admins running to replace flawed keys for servers because of that. If those daemons were hidden behind some portknocking stuff, it wouldn’t be necessary to rush.

Today I read some interesting stuff about SPA, or Single Packet Authentication, to protect SOA resources published on the web. I must say that it’s a nice way to avoid too much attention on them. It would be nice to see this being integrated into frameworks.

ISCI Call for Input [Digital Bond]

Posted: 07 Aug 2008 03:37 PM CDT

UPDATE: The 12-page Call for Input document is now posted. It definitely answers the intellectual property question, but will anyone bite on giving away useful IP?

2. The participant identifies any holders of copyright interests in the contribution, and affirms that the copyright holder grants to ASCI a perpetual, irrevocable, non-exclusive, royalty-free, worldwide license to include the contribution and derivative works within any document arising from the work of the Institute.

3. If the resulting candidate specification(s) may require the use of a patented invention, the participant identifies any holders of patent(s) or patent interests in the contribution, and affirms that the patent holder agrees to comply with policies contained in the ASCI Patent Policy. The participant or patent holder must provide ASCI with either: a general disclaimer to the effect that such party does not hold and does not presently anticipate holding any invention the use of which would be required for compliance with the proposed specification or a written assurance that either: (a) a license will be made available without compensation to applicants desiring to utilize the license for the purpose of implementing the specification, or (b) a license will be made available to applicants royalty free, that are demonstrably free of any unfair discrimination.

Interesting that they adopted the Level 1 and Protocol certifications levels that we worked with Wurldtech to structure as part of their Achilles Certification.

Finally, it seems like a very aggressive timetable. Intention to submit input must be made by August 15th and input is due by the 31st during a vacation heavy month. 1st draft Embedded Controller SA conformance specification by September 30th.

—–
The ISA Security Compliance Institute [ISCI] announced a Call for Input to their Embedded Controller SA conformance specification on the SP99 list last week. We will link to it when it is up on the ISA site.

At the last ISA99 meeting in West Palm Beach, I raised some red flags about a pay to play organization dictating an ISA standard’s structure and schedule. Well this Call for Input is another red flag. Why would any non-ISCI member want to contribute to this effort?

It costs at least $5,000 a year to even participate in an ISCI technical meeting, and the price goes up based on company size. Would you contribute to an unproven, fledgling effort that then makes you pay to even get in the room to work on the specification?

Who owns the intellectual property [IP] of the contributions? ASCI/ISCI has made a point in presentations that the test specifications and certification programs they will develop have value and are ISCI’s IP. And this is wise because creating effective test specs and programs is difficult. But how can ISCI take another company’s input and say they own the resulting IP? I would be amazed if the two prominent vendors in this space, Mu and Wurldtech, would hand over their IP. [FD: Wurldtech is a current advertiser and past Digital Bond consulting client].

As the ISA>ACSI>ISCI efforts have rolled out it appears to me they made two fundamental mistakes.

1. Perhaps the fatal mistake was they started too early. If ISA99 or some other control system security standard that had testable requirements was available they could apply resources to build a test spec and certification program. We are not close to this so now ISCI needs to develop a set of ISCI proprietary requirements and the test spec.

2. ISA viewed this as a significant new revenue source - - my speculation. It is one thing to raise money to cover efforts, but the pay to play aspect is another. First, why did they need all that money? They have not hired a team to write test specs; they are relying on volunteers from member companies. If I’m a member seeing year two dues coming up I’m asking some hard questions.

Also, how would it be viewed if Mu or Wurldtech or Digital Bond or Industrial Defender said everyone contribute non-trivial upfront money to our commercial effort. Not only do we own the IP, but the efforts and results from your benevolent contribution will not be available to the control system community unless they pay up. Admittedly I’m biased as part of a commercial entity, but I’m continually amazed at how non-profit organizations, labs and academia are considered pure when in fact they are equally greedy and ‘commercial’ as everyone else. Nothing wrong with their motives but the illusion of purity . . .

The Four Horsemen of CLeopatra's Barge [Jeff Jones Security Blog]

Posted: 07 Aug 2008 03:36 PM CDT

hoff-4horsemen

One of the more interesting session I went to yesterday was a talk by Chris Hoff called "The Four Horsemen of the Virtualization Apocalypse."  (If you've never read Hoff's blog, you should check it out at http://rationalsecurity.typepad.com/.)

I thought I was keeping a close eye on security and virtualization issues, but this talk illustrated how wide and varied the topic really is.  This was not about Blue Pill and it wasn't about having security monitors in the hypervisor - instead he focused on how virtualizing physical devices (e.g. switches, systems) will cause lots of problems for security architects and administrators.

Briefly, here are the four horsemen:

  • Conquest - Translating your physical capacity planning implementation to virtual devices probably won't work.
  • Death - Virtualized networks lack several physical attributes assumed by security applications and high-availability devices today - you'll probably have to re-architect it all to get the same functionality, which might not even be possible in your new virtual world
  • War - Adding security VAs takes away precious resources that could have been used to dynamically add VMs.  It is a war of resources.
  • Famine - With all of the redesigning and accommodation happening, security costs are going to eat into any savings you make on server consolidation.

Now, if you want to read the much more thorough version, see Hoff's original post here.

 

Okay, how does this all relate to the title of my post?  Not much.  However, much later on day one, things really started rolling.

After being crowded out of the Shadow Bar, a bunch of us ended up over at Casa Fuente (A cigar bar in Caesars forum).  Five minutes after arriving, someone spilled a drink in my lap, big fun!  It turns out that it was Stepto's birthday, and Hoff makes sure everyone has a drink and we all sing happy birthday to Stepto.  Check out part of it, courtesy of Jack Daniel:

Immediately after the toast, Jennifer Jabbusch knocks over a table, falls to the floor and begins having a seizure. Stepto rushes over, trying to help, and just about that time, she flips over and starts laughing - total fakeout! Everybody bursts out laughing.

Shortly after that, they closed for the night and kicked us out and we all headed over to Cleopatra's Barge. There weren't enough seats or tables for us, but I noticed that the "reserved" barge seating was empty. Drawing upon a clever technique (i.e. sometimes called "asking") I social engineered a waitress into letting us have the reserved area. Within mere minutes, several security geeks are on the dance floor, doing us proud.

hoff-cleopatra2

This leads me to the Four Horsemen of Cleopatra's Barge.  (Though I was out there too, I am excluding myself since simply because I can.)

  • JJ, for leadership
  • Hoff, who owned the dance floor.
  • Ryan Naraine, for getting low, low, low
  • David, for letting his hair down.

Though our collective dancing does not signal the end of the world, it certainly capped an excellent day

The future of mass card theft (and PCI) [Security Balance]

Posted: 07 Aug 2008 01:16 PM CDT

The indictment of 11 people on a mass card theft is all over the news this week. I’ve seen reports about software developed to steal cards, war driving and other stuff that I really don’t know if it’s just bad press or actual facts. There are some good info here and here.

Of course PCI will be brought into the middle of the discussion about the methods used by the group. It seems that the attacks happened a long time ago (2003), but it’s interesting to look into the story with the eyes of the standard. Like, why was so easy to these guys to go into the card data environment (CDE)? PCI has very specific rules about wireless networks, what I’m almost sure that those companies were not following. Besides that, it seems that all that information was being transmitted without proper encryption.

An interesting aspect of the attacks is that they used tools developed specifically to steal card data. In the same way that there are tools being designed to identify sensitive data in order to protect it (DLP tools, e-discovery stuff), tools designed to steal that data will also be developed. I was reading on Hay’s blog today about the Coreflood Trojan. Criminals developed a trojan and deployed that in a clever way to avoid being detected. They used a strategy that we have been using on “penetration tests” for years, to leverage access to a workstation and wait for an domain administrator to log in there to steal his passwords (and the keys to the kingdom). The results? According to Joe Stewart from SecureWorks, “. ”

So, we can see that criminals have leveraged the ability to go into large corporate networks with high privileged access rights. They also know what information they need to get, and the technology to look for that is improving everyday. It’s not hard to play the oracle and say that in a near future we will witness some huge scams performed by very organized criminal groups. Welcome to the future.

Clear® Registered Traveler Laptop Found [Infosecurity.US]

Posted: 07 Aug 2008 12:20 PM CDT

August 5th brought news of the CRTLD or the Clear® Registered Traveler Laptop Debacle (our new internal acronymical codename for Information Security Incompetence). Evidently, from reports, the machine under discussion, was found in the same office it had been reported missing from…..

Playing tonight at your local Cineplex Security Theatre, on the Main Screen - “Registered Travelers Increase Security, The Movie”, and on Screen Two - “How Losing A Laptop With Registered Traveler Enrollees’ User Information is of No Real Concern (Subtitle: It would take Two Passwords To Get To The Data….) - The Epic Fail, both films starring the staff of Verified Identity Pass, Inc.

Black Hat 2008 Day 1: We're Screwed! [Security Incite Rants]

Posted: 07 Aug 2008 11:39 AM CDT

Day 1 of Black Hat 2008 is in the books. It's great to see a lot of old friends, and it seems this year (more than the last two) many of the folks I'm talking to are more focused on the networking than on the session. Not me. I'm still fired up about seeing really smart guys discuss what they are up to and give me a lot of food for thought about how we need to continue protecting ourselves.

I ended up hitting almost all the sessions I wanted to, so let me go through some quick observations.

  •  Keynote: Ian Angell, Professor London School of Economics - Professor Angell is a pretty engaging character and I enjoy his systematic skewering of the common knowledge about risk and what we can really control. Which is basically nothing.
  • Bad Sushi: Nitesh Dhanjani and Billy Rios - As mentioned on Tuesday, I was looking forward to this session and it was a lot of fun. Especially when they pulled the RickRolling prank on the phishers and to see how many of them fell for it was great. Sometimes it's nice to strike back, although it doesn't have much of an impact on how we do things.
  • Kaminsky's DNS talk: It was packed. I mean PACKED. And Dan delivered the goods. The thing that resonated the most is how dependent we are on DNS for pretty much everything, and if DNS is not trustworthy, we've got a real problem. Lots of innovative ways to comprise stuff assuming the bad guys own DNS and plenty of other goodies. I have some larger thoughts about the DNS topic, which I'll write up for Monday, but the only conclusion you can really draw is that we're screwed. But isn't that what Black Hat is all about? Giving security folks that uneasy feeling of not being able to keep up with all the attacks?
  • Hoff's Four Horseman: The Hoff delivered the goods as well. First of all, the slides were very pretty. You should check them out. But aside from the aesthetic beauty of the content, Chris really put into question a lot of the assumptions many folks are making about securing the virtualization layer. Rich did a good write-up of Hoff's pitch and other Black Hat topics.
  • Network Monitoring, Bruce Potter: I hadn't seen Bruce speak before and it was very entertaining. But most interesting was the very compelling case he made for why you need to monitor your networks using something like Netflow. He also talked a bit about a new open source tool called Psyche that his team is releasing and it looks pretty cool. It's nice to see the idea of network monitoring being discussed on the big stage. Of course, there are folks like Bejtlich that have been beating that drum for years. But given all the other stuff we're seeing at the show this week (basically we're screwed), the idea of figuring out everything isn't going to happen. So we need to REACT FASTER and monitoring is the way to do that.

The Mogull and I recorded a quick podcast yesterday as well. We talk about Kaminsky and Hoff's pitches and come the conclusion that basically we're screwed. You can check it out at the Network Security Podcast site.

Before I head off to Day 2, I have to relay my latest Vegas star sighting. To wrap up the night Shimmy, Mitchell, Adrian Lane and I are catching a little late night breakfast at Caesars. Sitting right next to us is Jeff Dye, one of the finalists on this season's Last Comic Standing. You all know what big fans of comedy the Boss and I are, so it was great to see him in person. He's a very nice guy and he really is that pretty. They are announcing the winner of the show tonight, so I told Jeff we'd be pulling for him.

Only in Vegas...

BlackHat: Kaminsky’s Grandmother Bakes Session Cookies [Infosecurity.US]

Posted: 07 Aug 2008 10:44 AM CDT

In one of the more heartwarming stories emerging from BlackHat 2008 is Kim Zetters’s quick post at Wired’s ThreatLevel blog. During Dan Kaminsky’s SRO presentation on his recently discovered DNS flaw, his grandmother baked cookies for attendees.He affectionately labels the confections as ‘session cookies‘.

The world would be a better place if everyone had a grandma like Dan’s.

No comments: