Event Related

• ShmooCon 2012 Updates, Videos, Slides and Presentation
• Five Ways We’re Killing Our Own Privacy – scribd.com/doc
  Slides from ShmooCon and Firetalks Presentation
• Attacking Prox Card Systems – opensecurityresearch.com
  Slides and Code from Brad Antoniewicz’s awesome talk on Attacking Prox Card Systems
• Shmoocon 2012 – tombom.co.uk
  In the absence of an “official” download link for these so far (although I’m sure they’ll be up on the Shmoocon page soon enough), my slides from Shmoocon this year. Seems it got a little press coverage and a whole bunch of attention on Twitter, so I figured I should get these out ASAP.
• RFCAT released! – atlas.r4780y.com
  I should probably post *new* slides here within a week. Subscribe to the rss feed to be notified when I post them. I’m going to see if I can’t nail down a few more details that were bugging me on the demo’s, and actually talk to the insulin pump.
• Changes to Apple MDM for iOS 5.x – intrepidusgroup.com
  I presented an updated talk on Apple’s iOS MDM system at ShmooCon 8. I had a great time, and really enjoyed all the questions and nice comments I received afterwards. I thought I’d mention a couple of the changes that iOS 5 provide.
• ShmooCon 2012 FireTalks – Update 7 (Videos from Friday) – novainfosecportal.com
  This post is dedicated to the talks on Friday night. Thanks to Bulb Security and IronGeek for recording and processing the videos so fast!
• Georgia Weidman’s videos – vimeo.com
• Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets – forbes.com
  Pull out your credit card and flip it over. If the back is marked with the words “PayPass,” “Blink,” thattriangle of nested arcs that serves as the universal symbol for wireless data or a few other obscure icons, Kristin Paget says it’s vulnerable to an uber-stealthy form of pickpocketing.
• Education and Information Sharing Top Priority at 2012 DoD Cyber Crime Conference – blog.mandiant.com
  This was my first time heading to the DoD Cyber Crime Conference in Atlanta. The DoD Cyber Crime Center (DC3) hosts the conference every year. DC3first started as a resource for DoD and Law Enforcement and has grown over the years to include many different organizations that work together to combat Cyber Crime.

Resources

• DatabaseAndroidMalwares – code.google.com
• {book review} The Tangled Web – blog.c22.cc
  The Tangled Web is split into 3 parts, starting off with a concise walk-through of the underlying technologies of the web. Unlike so many other books that take for granted that the reader is already up to par on the backstory, Zalewski takes the time to really dig deep into the tools, protocols and RFCs that run the modern web.
• (IN)SECURE Magazine Issue #33 Released – net-security.org
  (IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics.

Tools

• Keychain Dumper Updated for iOS 5 – labs.neohapsis.com
  I’ve received a few issue submissions on github regarding various issues people have had getting Keychain Dumper to work on iOS 5. I meant to look into it earlier, but I was not able to dedicate any time until this week. Besides a small update to the Makefile to make it compatible with the latest SDK, the core issue seemed to have something to do with code signing.
• An Update on Android.Counterclank – symantec.com
  Last week, we posted a blog informing Android users of the discovery of new versions of Android.Tonclank, which we have named Android.Counterclank. The blog generated a bit of discussion over whether these new versions should be a concern to Android users.
• UPDATE: inSSIDer v2.1.0.1379! – metageek.net
  inSSIDer is an award-winning free, open-source Wi-Fi network scanner for Windows Vista andWindows XP. Because NetStumbler doesn’t work well with Vista and 64-bit XP, the authors built an open-source Wi-Fi network scanner designed for the current generation of Windows operating systems.
• Passware claims FileVault 2 can be cracked in under an hour, sells you the software to prove it – engadget.com
  Lunch hours may never feel safe again. That is, if you have a Mac running Lion / FileVault 2, like leaving your computer around, or have unscrupulous colleagues. Data recovery firm Passware claims its “Forensic” edition software can decrypt files protected by FileVault 2 in just 40 minutes — whether it’s “letmein” or “H4x0rl8t0rK1tt3h” you chose to stand in its way.

Techniques

• Windows Loader and ASLR on Binaries – marcoramilli.blogspot.com
  Summing up for newer readers, Windows Loader looks for a specific FLAG into the PE Header. In the PE Header, specifically in the IMAGE_OPTIONAL_HEADER section there is a flag called DLL Characteristics that defines many features for the executable during its loading time, 1 of them being ASLR.
• x64 Windows Shellcode – blog.didierstevens.com
  Last year I found great x64 shellcode for Windows on McDermott’s site. Not only is it dynamic (lookup API addresses), but it even handles forwarded functions.
• Ubertooth: Bluetooth Address Breakdown – intrepidusgroup.com
  The IG crew is just heading back from ShmooCon, which reminds me of last year’s awesome talk on the Ubertooth One. Intrepidus backed the kickstarter project and, as promised, got 2 Ubertooths. We recently started playing with it, and have a couple of tips and a supplementary script.

Vendor/Software Patches

• Android and Security – googlemobile.blogspot.com
  The last year has been a phenomenal one for the Android ecosystem. Device activations grew 250% year-on-year, and the total number of app downloads from Android Market topped 11 billion. As the platform continues to grow, we’re focused on bringing you the best new features and innovations – including in security.

Vulnerabilities

• TDL4- Purple Haze
• TDL4 – Purple Haze (Pihar) Variant – sample and analysis – contagiodump.blogspot.com
  I recently ran into an interesting piece of malware that was downloaded on a victim’s computer. I thought it was TDL/TDSS or maybe a new version of it as it had same components as TDL4 bootkit with a functionality of a mass scale PPC (pay-per-click) fraud. TDL had this functionality too and it is most likely spread by the same Russian-speaking gangs using the Blackhole exploit kit.
• TDL4 reloaded: Purple Haze all in my brain – blog.eset.com
  This week we received an untypical sample of Win32/Olmarik.AYD (TDL4) from Mila (of the contagiodump blog). We have already spent a long time tracking TDL4 bootkit family (The Evolution of TDL: Conquering x64) and this time we are seeing key modifications to the dropper and hidden file system.
• Android.Counterclank Found in Official Android Market – symantec.com
  Symantec has identified multiple publisher IDs on the Android Market that are being used to push outAndroid.Counterclank. This is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device.
• Build Up Your Phone’s Defenses Against Hackers – nytimes.com
  Technology experts expect breached, infiltrated or otherwise compromised cellphones to be the scourge of 2012. The smartphone security company Lookout Inc.estimates that more than a million phones worldwide have already been affected.
• Exploiting CVE-2011-2140 another flash player vulnerability – abysssec.com
  Before going future we are sorry to not update blog regularly, but it’s due to we are busy with stack of projects and also working on our expert training courses.
  So as we didn’t post any blog post here we go with another flash player exploit we wrote long time ago.
• MS11-087 (aka Duqu) : Vulnerability in Windows kernel-mode drivers could allow remote code execution – exploitshop.wordpress.com
  Since many folks are asking more about MS11-087, I’m posting some of interesting questions I’ve got.
• Hackers outwit online banking identity security systems – bbc.co.uk
  Criminal hackers have found a way round the latest generation of online banking security devices given out by banks, the BBC has learned.
• Webkit normalize bug for android 2.2 (CVE-2010-1759) – exploit-db.com
• MS12-005 : embedded object package allow arbitrary code execution – exploitshop.wordpress.com
  MS12-005 is much more dangerous than I thought. Very easy to exploit, and 100% reliable. Now no user interactions are required. Exploit is available.

Other News

• US officials say cyber crimes will overtake terrorism as top threat – slashgear.com
  Just as authentication service VeriSign admitted it has been hit by very strong hacking attacks a couple years ago, US officials have revealed that computer crimes will be more of a threat to the country than terrorism. VeriSign is an example of how cyber attacks can affect tens of millions of civilians, but government offices are also the target of malicious hackers.
• Verisign hacked, data stolen – scmagazine.com.au
  Verisign has admitted it was hacked repeatedly in 2010 and could not pin down what data was stolen.
• Half of Fortune 500 firms infected with DNS Changer – computerworld.com
  Half of all Fortune 500 companies and major U.S. government agencies own computers infected with the “DNS Changer” malware that redirects users to fake websites and puts organizations at risk of information theft, a security company said today.

Read a great opinion piece last week in the Wall Street Journal that talks about how we “stand on the cusp of three grand technological transformations with the potential to rival that of the past century.”  If you haven’t read Mark Mills and Julio Ottino: The Coming Tech-led Boom – WSJ.com it compares the potential [...]

(Translated from the original Italian)

One more to worry about is the real security of satellite infrastructures.

In a technological civilization, satellites play a vital role in the management and transmission of information of all kinds. Satellites in fact do the work in silent that we enjoy every day, but we often forget this crucial aspect of communications.

Are these powerful systems of communication actually safe? Is it sufficient just to be in orbit thousands of miles above our heads  in order to ward off the danger of an attack? In using satellites, are we sure that nobody could listen in on our communications?

Of course not! The main concern is the possibility of compromising satellite those communications in the context of warfare.

Consider that satellite communication are widely used in military applications, particularly in those regions where other communication infrastructures are insufficient or absent, like the Middle East and Africa.

Security researchers have demonstrated that satellite phones can be easily intercepted and deciphered.

It is already of enough concern any common computer can be used to hack the two encryption systems used to protect satellite phone signals, so anyone with a computer and a radio could conceivable eavesdrop on calls, and a multitude of satellite phones are vulnerable. 

With a few thousand dollars it is possible, according a researchers' announcement, to buy the equipment and software needed to intercept and decrypt satellite phone calls from hundreds of thousands of users.

The academics have summarized the threat in a single sentence: "Do not Trust Satellite Phones".

The two main standard encryption algorithms that have been compromised are known as GMR-1 and GMR-2, which are implemented by the satellite phone operators. The problem really affects only those companies that use the ETSI GMR-1 and GMR-2 encryption algorithms. 

The speed with which it is possible to decipher a call is linked to the computing power applied, but keep in mind that it is possible with suitable equipment decipher the communications in real time.

The researchers are convinced that the main problem is related to the encryption algorithms and the "security through obscurity" approach applied by attempting to use secrecy of design and implementation to provide security, and preventing the security community from testing them.

In publishing the hacking procedure proof-of-concept, the researchers hoped to prompt the ETSI organization to set new standards based on stronger encryption algorithms.

It was revealed in the past that GSM communications, an approach used to hide the algorithms for encrypting communications is certainly wrong, and represents a risk to the integrity of the overall infrastructure.

Due to this incorrect approach in the management of the algorithms, many organizations have implemented extra layers of cipher software in their satellite phones with the unintended result of increasing its vulnerability.

A consequence of the announcement is that satellite handsets with built in encryption mechanisms based on the hacked algorithms are no longer secure, which could pose a considerable threat to the business and military sectors. Hostile governments and criminals are actually able to monitor satellite phone networks on a large scale.

If the situation regarding satellite encryption algorithms is worrying, certainly the security of the satellites themselves is not any better.

A report released in 2011 named titled the "2011 Report to Congress of the U.S.-China Economic and Security Review Commission" revealed that some US operated satellites were vulnerable to attacks, and on more than one occasion attackers had taken control of the systems.

Sensitive satellite systems have been successfully breached, according to the report:

"Satellites from several U.S. government space programs utilize commercially operated satellite ground stations outside the United States, some of which rely on the public Internet for 'data access and file transfers,' according to a 2008 National Aeronautics and Space Administration quarterly report.† The use of the Internet to perform certain communications functions presents potential opportunities for malicious actors to gain access to restricted networks." 

Information regarding several attacks to satellite control systems are in the public domain, and these events have been confirmed also by The National Aeronautics and Space Administration (NASA).

Below is a brief list of events:

• On October 20, 2007, Landsat-7, a U.S. earth observation satellite jointly managed by the National Aeronautics and Space Administration and the U.S. Geological Survey, experienced 12 or more minutes of interference.

• On June 20, 2008, Terra EOS [earth observation system] AM–1, a National Aeronautics and Space Administration- managed program for earth observation, experienced two or more minutes of interference.The responsible party achieved all steps required to command the satellite but did not issue commands.

• On July 23, 2008, Landsat-7 experienced 12 or more minutes of interference. The responsible party did not achieve all steps required to command the satellite.

• On October 22, 2008, Terra EOS AM–1 experienced nine or more minutes of interference. The responsible party achieved all steps required to command the satellite but did not issue commands.

In the report, the responsibility for the attacks was assigned to China, but similar hacks can be conducted by every hostile foreign government. We must consider that compromised satellites are a serious risk, the exposure could affect communications in the business and military sectors, and also can cause the loss of sensitive and strategic technological information.

My last consideration is related to threats to satellite systems. In our imagination we make the mistake of considering only as possible sources of attacks as being foreign governments.

The proof that this view is wrong arrived in recent weeks when the group Anonymous announced that it had successfully hacked a NASA satellite The group has also published on Pastebin evidence of knowledge on NASA project.

Clearly the situation merits a high level of attention given the looming threat.

References

• http://infosecisland.com/blogview/18279-Malicious-Cyber-Activities-Directed-Against-US-Satellites.html

Cross-posted from Security Affairs

Copyright 2010 Respective Author at Infosec Island

• Have you noticed that all the poeple who say "bring back national service" are too old to be affected ? #
• ref previous RT "Data Breach Known Records Disclosed Passes 1 Billion Mark" http://t.co/KHWr8wT1 – how long to 2 billion ? #
• and this is why, whilst I may create a BYoD policy I will not partake myself http://t.co/enMe6vrO via @BrianHonan #
• lets be honest is it really that bad to carry 2 devices ? keeping work and personal seperate is not a bad thing. #BYOD #
• Let me know if you are going to the #whitehatsball this year, be good to put a name to a twitter handle. #
• looks like the #snow is messing up flights out of #schipol today http://t.co/34sF0xRB #delay #delay #delay #
• just spotted someone with a 6310i.. he pointed out that he charges it once a week. Can we get #nokia to release a special heritage edition #
• thanks for the #FF and I have to say mine is the same this week @BrianHonan @stephenbonner @neirajones @J4vv4D + @jameslyne in reply to BrianHonan #
• remember that tomorrow is International Save #Pluto day, end this injustice restore #Pluto #039;s status as a #planet http://t.co/1uijKKab #
• is anyone going to go for the new ECcouncil #CISO cert https://t.co/Az0BiHs8 – "the Industry’s Most Respected IS Executive Recognition" ? #
• Given the recent snow in the uk, i am amazed that there havent been more snow related phishing scams #
• dataprotection "implemented in different ways ..different member states ..disrupts the single market" via @PogoWasRight http://t.co/PfvwkOwI #
• ref previous tweet, I almost don't care what is in the new #dataprotection #law, as long as it is consistent country to country #
• #infosec12 registration now open https://t.co/1rYQr96g #Canon will be there with an even larger stand – see you there ? #

• Have you noticed that all the poeple who say "bring back national service" are too old to be affected ? #
• ref previous RT "Data Breach Known Records Disclosed Passes 1 Billion Mark" http://t.co/KHWr8wT1 – how long to 2 billion ? #
• and this is why, whilst I may create a BYoD policy I will not partake myself http://t.co/enMe6vrO via @BrianHonan #
• lets be honest is it really that bad to carry 2 devices ? keeping work and personal seperate is not a bad thing. #BYOD #
• Let me know if you are going to the #whitehatsball this year, be good to put a name to a twitter handle. #
• looks like the #snow is messing up flights out of #schipol today http://t.co/34sF0xRB #delay #delay #delay #
• just spotted someone with a 6310i.. he pointed out that he charges it once a week. Can we get #nokia to release a special heritage edition #
• thanks for the #FF and I have to say mine is the same this week @BrianHonan @stephenbonner @neirajones @J4vv4D + @jameslyne in reply to BrianHonan #
• remember that tomorrow is International Save #Pluto day, end this injustice restore #Pluto #039;s status as a #planet http://t.co/1uijKKab #
• is anyone going to go for the new ECcouncil #CISO cert https://t.co/Az0BiHs8 – "the Industry’s Most Respected IS Executive Recognition" ? #
• Given the recent snow in the uk, i am amazed that there havent been more snow related phishing scams #
• dataprotection "implemented in different ways ..different member states ..disrupts the single market" via @PogoWasRight http://t.co/PfvwkOwI #
• ref previous tweet, I almost don't care what is in the new #dataprotection #law, as long as it is consistent country to country #
• #infosec12 registration now open https://t.co/1rYQr96g #Canon will be there with an even larger stand – see you there ? #

Posted by Aaron Portnoy




If you've ever tried collaborating with other people while reverse engineering a vulnerability your process probably includes some tedious steps, like transferring:

1. Your IDB
2. Your notes/readme files
3. Virtual machines
4. Proof of concept files
5. IDAPython scripts
6. PCAPs
7. ...

After doing this several hundred times, we came up with a little solution we thought you might all find useful.

We leverage the structures within an executable and IDA's support for interacting with them in order to create a pseudo-filesystem within IDA. The idea is that there is a lot of address space within any given module in IDA. For example, in this screenshot from USP10.dll we can see there are 7 segments defined:




The lowest defined address within a segment is 0x7638000 and the highest is 0x76408000. That means there is free room from 0x0 through 0x7638000 (0x7638000 bytes) and from 0x76408000 to 0xFFFFFFFF (0x89bf7fff bytes) for a total of 0x9122ffff bytes. That's over 2GB, plenty of room to store some data of our own...

So, the idea is to make a new segment (or multiple) to contain arbitrary data of ours. To do this intelligently, we need some way of organizing it so that we can easily rename, resize, move, extract, and insert data. Sounds like we need a filesystem...but, we're lazy (efficient, I mean) and so we can leverage existing code to do this for us (and save space at the same time).

Enter Python's zipfile mode. A zipped file is essentially a filesystem, complete with support for directory structure. Additionally, compression comes for free, thus saving us some disk space. Here we've added our segment:




Now that you all get the idea, let's get into the code. We define an FS class for manipulating the file system:

class FS: ''' File system object - default size of ~2MB ''' def __init__(self, segname=".zip", size=0x200000): self.segname = segname self.size = size self.memhandle = StringIO() done = False # (name, start, end) segs = segment.getSegsInfo() for s in segs: # if our segment is already present, use it if segname == s[0]: print "[*] fs.py: found an existing segment." # start address self.addr = s[1] # the EOF is the first 4 bytes # seek to the actual data ea = self.addr + 4 flags = idc.GetFlags(ea) # get the data bytes = "" while flags != 0: bytes += chr(idc.Byte(ea)) ea += 1 flags = idc.GetFlags(ea) self.memhandle.write(bytes) self.memhandle.seek(0) # save the new size self.EOF = len(bytes) self.save_eof() done = True break # otherwise, make a new one if done == False: print "[*] fs.py: making a new segment." self.addr = segment.alloc(self.size, segname) self.EOF = 0 self.save_eof() zipfs = ZipFile(self.memhandle, mode='w') zipfs.close() self.memhandle.seek(0)

We use a StringIO object so that we never need to touch the disk outside of IDA to create our zip file. Also, you'll notice that each segment we create has a 4 byte size at it's start so that we can easily grab the appropriate amount of data out of it when reading files.

The code that actually creates the segment is here, in our segment.py:

def alloc(size, name): ''' Allocates a segment of the given size. ''' # first lets get the last segment in this binary last_seg_end = idaapi.get_last_seg().endEA # and the first first_seg_start = idaapi.get_first_seg().startEA # now see how many bytes we have from there to 0xFFFFFFFF bytes_high = 0xFFFFFFFF - last_seg_end # now see how many bytes we have # from 0x0 to the first segments start bytes_low = first_seg_start # check where we have more room if bytes_high > bytes_low: print "[*] segment.py: there is room above current segments" new_seg_start = last_seg_end + 0x10000 new_seg_start = new_seg_start & 0xFFFF0000 else: print "[*] segment.py: there is room below current segments" new_seg_start = 0 + 0x1000 idc.SegCreate(new_seg_start, new_seg_start+size, 0, True, 3, 2) idc.SegRename(new_seg_start, name) return new_seg_start

Of course, the above code is useless without the methods of the FS object for storing and reading data:

def get_current_size(self): ''' Returns the amount of bytes currently stored in the fs segment ''' size = 0 ea = self.addr flags = idc.GetFlags(ea) while flags != 0: size = size + 1 ea = ea + 1 flags = idc.GetFlags(ea) return size def store(self, k, v): ''' Stores a file (named k) with value (v) in the segment. Directory paths are allowed. ''' zipfs = ZipFile(self.memhandle, mode='a') current_size = self.get_current_size() len_data = len(v) total_size = current_size + len_data # need to check if our current segment can contain total_size our_seg = idc.SegByName(self.segname) # this is because IDA doesnt delete segments properly segs = list(idautils.Segments()) for s in segs: name = idc.SegName(s) if name == self.segname: our_seg = s break if our_seg == idc.BADADDR: raise SyntaxError("[!] Hrm, segment is BADADDR") our_seg_size = idc.SegEnd(our_seg) - idc.SegStart(our_seg) if total_size > our_seg_size: # we need to resize our segment # XXX: segment.realloc left as an exercise to the reader return False zipfs.writestr(k, v) zipfs.close() self.memhandle.seek(0) self.commit() return True def load(self, k): ''' Retrieves the contents of a file (named k) from the segment file system. ''' try: zipfs = ZipFile(self.memhandle, mode='r') except: return False try: zfile = zipfs.open(k) res = zfile.read() except KeyError: print "[!] File with name '%s' does not exist in the keystore." % k return False self.memhandle.seek(0) return res def save_eof(self): ea = self.addr idaapi.patch_long(ea, self.EOF) return def commit(self): ''' Commits any changes made to the in-memory buffer to the segment. This is automatically invoked on any store() or delete() operation. ''' bytes = self.memhandle.read() self.memhandle.seek(0) ea = self.addr # write the EOF self.EOF = len(bytes) self.save_eof() ea = ea+4 for byte in bytes: idaapi.patch_byte(ea, ord(byte)) ea = ea + 1

Example usage:

Python>reload(fs) Python>filesystem = fs.FS() [*] fs.py: didn't find an existing segment, making a new one. [*] segment.py: there is room above current segments 7. Creating a new segment (76410000-76610000) ... ... OK Python>filesystem.store("my_filename", "A"*200) True Python>fh = open(r"C:\Windows\system32\ntdll.dll", 'rb') Python>ntdll = fh.read() Python>fh.close() Python>filesystem.store("ntdll.dll", ntdll) True Python>filesystem.list_files() ['my_filename', 'ntdll.dll'] Python>afile = filesystem.load("my_filename") Python>print afile[0:10] AAAAAAAAAA Python>print len(afile) 200

Additionally, we've written code that will launch a new GUI interface within IDA for browsing, adding, and deleting files to the filesystem:








The basic code for this is here: fs.py and segment.py. We store this code within the C:\USERS\user\AppData\Roaming\Hex-Rays\IDA Pro directory so that it is available by default when launching IDA (just 'import fs').

If you think about what else you can store within an IDB you'll hopefully come to some interesting new ways to improve your process as we have. We plan on demonstrating this code and much more at our upcoming training Bug Hunting and Analysis at CanSecWest this March. Feel free to join us ;)

--
Aaron

Researchers at Symantec have identified a crafty Trojan targeting Android devices which slightly modifies its code every time the malware is downloaded.

The technique is called server-side polymorphism, and it allows the malware to remain more difficult to detect when examined by traditional signature-based antivirus software defenses.

The technique has been used for years to hide malicious code targeting PCs using the Windows operating system, but has only recently been discovered in malware aimed at infecting mobile devices.

"For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection. We are now seeing this same technique being used for malicious Android applications hosted on Russian websites," Symantec's Security Response blog explains.

Symantec has identified multiple variants of the malware, which is being distributed by Russian-based websites offering Android application downloads.

"We detect all of these variants as Android.Opfake. The sites hosting Opfake include either links or buttons that can be used to download the malicious packages that are purporting to be free versions of popular Android software," Symantec warns.

The malicious code is able to accomplish the "morphing" of its signature in several different ways, one of which is a manual adaptation that researchers believe is a sign that the attack are being actively administered by the malware authors.

"Opfake performs server-side polymorphism using three techniques: variable data changes, file re-ordering, and insertion of dummy files... The applications morph themselves automatically in a few ways every time the threat is downloaded. In addition, manual modifications are also made every few days indicating that the malware authors are actively maintaining this malware family," the blog continued.

Source:  http://www.symantec.com/connect/blogs/server-side-polymorphic-android-applications

Copyright 2010 Respective Author at Infosec Island

In 2005, I wrote an essay called "The Failure of Two-Factor Authentication," where I predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint. This BBC article describes exactly that: After logging in to the bank's real site, account holders are being tricked...

Alrighty, this will be a fairly light post (in terms of my own applied analysis)... and, apologies as it's a wee bit behind the curve on various news pieces in the past couple months (I'd intended to write this in early January - oops!;). Please note that this post applies only to user passwords, and it does not apply to system and database password maintained within various environments.

Main Thesis: All this password analysis on compromised user password databases is fairly absurd. The breaches themselves are not generally the result of user password being compromised. As such, the time spent analyzing these passwords is largely a waste of time because it does not appreciably represent much risk to businesses; especially not to those that were compromised.

If this sounds like a topic I've discussed before, then you're right. I wrote about in about 18 months ago in my post "Password Complexity Is Lame." What got me going on this topic (albeit, back in Dec/Jan) was analysis of the STRATFOR compromise. much adieu was made of the passwords some folks were using (e.g., see this piece), and yet it was just inane mainstream media bologna. As per usual, users were assailed for their password selections, and yet who cares? What harm was really caused?

Rather than fully rehash everything that's been said, let me start out by wading through several of the pieces written...

Raf Los summarized the problem for well in his piece "Are weak passwords to blame for your data breach?". It's a simple little diagram, but the fact of the matter is that it's the right fundamental question from a risk analysis perspective.

Rob Graham at Errata Security had a decent post talking about his 3-tier password reuse approach. In particular, in talking about choosing his "first tier" passwords, he puts an emphasis on complexity saying they "...should both be very complex, as well as wholly unrelated to any other accounts." Unfortunately, this is just lame. "Complexity" is a red herring. Ultimately, the two main factors that really matter are 1) requiring a long password (16 chars or greater), and 2) not limiting the character set of the password. Beyond that, everything else will inevitably lead to other problems.

Ultimately, Bill Brenner got to the heart of the matter in his CSO "Salted Hash" blog post, "Passwords are better off dead" when he points out the main problem: that passwords are still the primary form of authentication! Indeed, what all this user password analysis overlooks is the major problem that we lack a truly viable, mainstream(able) alternative to passwords. Until we solve this problem of finding an alternative, we'll continue to have these inane discussions on password strength/complexity.

The New School guys add, in a post titled "New School Approaches to Passwords", saying: "We need to agree that passwords suck when they're not properly cared for, and that caring for them is hard. So we need to assume that passwords will tend to be poor, reused, etc, and develop methods to deal with that. Most of our mechanisms today punish users." Why do we punish users when they're not responsible for the primary defense measures? For that matter, why are we punishing or maligning users for failing to treat information risk that isn't theirs to manage? It doesn't make sense.

The root labs rdist blog made an excellent point in their post "On the evolving security of password schemes", saying: "Password security is a difficult problem, especially with a varied user base. However, most admins focus too much on increasing entropy of user choices and not enough on decreasing the attacker's guess rate and implementing responses to limit their access when they do get a hit." Which is to say: the primary defense methods really have nought to do with "password strength/complexity."

In a different post, The New School folks found an interesting paper around the same time that called into question the related password-management practice of password expectation. In a nutshell, a real study concluded that enforcing password expiration isn't all that useful, and may actually reduce the security (or increase risk). That goes along with my post that reminds us that considering our primary defense mechanisms is probably more important than assessing the individual strength of the passwords themselves.

Lastly, in a separate study (and unrelated to the STRATFOR analysis reports), the Light Blue Touchpaper blog posted an interesting analysis of password brute-force attack patterns that they observed over a 2-week period. As with the paper on password expiration, this actual research was interesting because it observed common attack patterns, and once again highlights a number of key issues. One of the more interesting observations was that some guessing attempts used fairly complex, but specific, strings, with the theory that someone was using a sizable database for guessing (e.g., you can get a database of >2 million passwords that includes the "500,000 most popular passwords").

Wrap-Up

A few quick take-away points:
* Password strength/complexity is a red herring. Length and a large available character set are typically the only important attributes.
* The primary defensive measures against password brute-force attacks typically have little, if anything, to do with password strength/complexity.
* Analysis of user passwords is a red herring. Those passwords almost universally have nothing to do with the cause of the compromise.
* Even seemingly mundane and ok practices like password expiration can be detrimental.
* Password reuse may be problematic unless using a tiered approach aligned by your own personal risk tolerances.

I only expect the data to continue building that supports these conclusions. Now, if we could just find a viable, universal replacement for passwords...

Get a sneak peak into RSA Conference 2012 with podcasts from industry experts and speakers.http://bit.ly/fmaLXU

A lot of people are fascinated by the news story that Anonymous managed to listen to a conference call between the FBI and

Scotland Yard. Some of the interest is due to marvel that two such sophisticated organizations could be had, some is due to schadenfreude, and some is probably despair: if the bad guys can get at these folks, is anyone safe? To me, though, the interesting thing are the lessons we can learn about what's wrong with security. Many of the failures that led to this incident are endemic in today's world, and much of the advice we're given on what to do is simply wrong or arguably even harmful.

The first issue is how Anonymous managed to record the call. The ways we'd see it done in a movie — tapping a phone line or listening to law enforcement official's cell phone — are comparatively difficult to do. They're not impossible, but they're not the easy way for a task like this. Rather, what appears to have happened is what most outside security experts immediately suspected: Anonymous read an email giving the details of the call, and simply dialed in, in the same way as the intended participants. The message was sent to "more than three dozen people at the bureau, Scotland Yard, and agencies in France, Germany, Ireland, the Netherlands and Sweden;" a single security flaw anywhere along the chain could have resulted in the leak.

Here we see the first flaw: the call details were, effectively, a shared credential. It is quite probable that the conference call moderator had no idea who had dialed in. We see the same phenomenon with role accounts: many people share the password for the login, email access, etc. It may happen in the large — postmaster@example.com — it may happen when a vacationing executive gives a secretary the password to his or her email account; it may happen when spouses or romantic partners share passwords. Whatever the reason, it creates a security risk.

Reading further into the article, we see that "One recipient, a foreign police official, evidently forwarded the notification to a private account". At that point, it's tempting to blame that official, say he or she was poorly trained or disobedient, and stop worrying. Apart from the self-evident fact that a single security lapse shouldn't compromise everything (a proposition easier to state than to make happen), I strongly suspect that this unnamed official was behaving very rationally: he or she either wanted email access that was too inconvenient via the proper mail servers, or wanted a different human interface. If this person had no access to work email from home, or felt that, say, gmail was enough better that their productivity was improved, it's not surprising that this would happen. It shouldn't happen — and one would hope that a police official working on cybercrime would understand the risks — but in a strong sense the failing was organizational: if my hypothesis is correct, they may have failed to make it easy for people to do the right thing. Let me stress this: a security mechanism that is so inconvenient that it tempts employees to evade it is worse than useless, it's downright harmful. (Note well: I'm not saying that this official did the right thing; I'm saying that organizational policies or technologies may have led to too much temptation for people who are trying to be more productive.)

But how did Anonymous know which outside email account to monitor? This article notes that assorted groups have made a habit of targeting law enforcement email servers, with some success against less-sophisticated police organizations. That would yield a list of email addresses, and perhaps passwords. Perhaps more importantly, it can show who was using an outside mail server, one that isn't protected by VPNs, firewalls, one-time passwords, and the like. At that point, the attackers have several ways to proceed.

First, they could try this law enforcement email password against the outside mail server. The odds are high that it will succeed; far too many people reuse passwords. And why do they do this? Because they have too many passwords to remember, especially if they're all "strong". And of course, people are forbidden to write them down.

Most of the advice we get on security starts with "pick a strong password". (Look at CERT's advice: the very first thing it tells people to do is "always select and use strong passwords". Patches, a really effective defensive measure, are mentioned fourth.) Strong passwords are not a bad idea, but you're in much more trouble if you reuse passwords. No one can possibly memorize all of the passwords they have; reuse is the usual answer.

A second way in which the attackers could have compromised the official's account is via a spear-phishing message, booby-trapped to install a keystroke logger. That's been seen, though more often in a national security context. If the attackers did this, even encrypting the emails wouldn't have helped; the same malware that stole the login password could probably steal the private key as well. But I'm pretty sure that no encryption was employed; most encryption systems are too hard to use. Smart-card based decryption would have helped (though such things are far less convenient to use); though there are still attacks, they're more involved, and arguably less available to a group like Anonymous.

It's clear that there wasn't a single failure involved; in particular, the crucial mistake of forwarding work email to a personal account was quite plausibly a rational response to organizational policies. Preventing recurrences of this kind of incident will not be easy; there are too many weak spots.

Written by Steven Bellovin, Professor of Computer Science at Columbia University

#HPIO Will Samsung Galaxy Note phablet be a phailure?

[for +Esther Schindler]Will Samsung Galaxy Note phablet be a phailure? - Input Output The Samsung Galaxy Note will soon be available in the U.S. It's already available in Europe, and is up for pre-order on AT&T. But will this hybrid phone/tablet be raging success, or embarrass...

Pretty Good Privacy (PGP) “is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security of e-mail communications.”

Say you have a manufacturing plant in China that makes a one of a kind widget and you have a U.S patent that you don’t want other companies stealing.

Every so often you must send an email back and forth to your man of the ground in Beijing to update the specs and ways in which that product is to be created. 

You know that if your emails are intercepted that it’s just a matter of time before a cheap knockoff comes on the market and kills your business. So, you better learn how to encrypt email.

This is where PGP email encryption comes in:

#1 There are PGP key generators online and others available in purchased or open source software. To create a PGP key you will plug in your email address and provide a password. Your security vendor can point you in a direction. Or go here to generate a PGP key.

#2 PGP keys are public and private. Your public key is posted to your website or contained in your email. People use this key to send you encrypted emails. The private key is kept private.

My public key looks like this:

—–BEGIN PGP PUBLIC KEY BLOCK—–

mI0ETt1GvAEEAInk6+FnNbDug/VTJTqladmbymCx3Oh3LT/YQpB1/j8PavNAAhtr

nC5dwhludRTE2bAG28ZcPkK5j8aRZTYTmSpCjUOfwNRaIott0L4SKSgLbkUWDfim

pbEOTLN9eTmStNispjWVdmP099t5SJqsGvkPBhCxLHOCxxPae0037Lb1ABEBAAG0

FnJvYmVydEByb2JlcnRzaWNpbGlhbm+InAQQAQIABgUCTt1GvAAKCRDVXcwnBdX+

k3poA/93D0usqCSemcf0jE8BMUlqIHxdblH7eH4IXngjV+bgfZxeX6pK6BuxMghN

6NaX8VqOHV574MctAnxVkGqqjJH4jALQn+ExoG9YFh004UK46pa4BCoh+xkD72zu

dGm3I3xVjj7g3e7XJ0R7aVDStK1s+7izd00PzbJP9xDI9MqJUA==

=22J2

—–END PGP PUBLIC KEY BLOCK—–

#3 When receiving an encrypted email you plug in your private key that looks a lot like a public key and include the password.

Find here a cool free online tool that generates PGP keys for fun and lets you see how PGP email encryption is done.

Caution: I’m not sure of what’s going on in the background of this site so I can’t recommend using this key generator for ongoing secure use.

Robert Siciliano personal and small business security specialist to ADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

Copyright 2010 Respective Author at Infosec Island

To follow up with Friday’s post re getting a lot of the other awesome ShmooCon Firetalks out there, here is the complete line up from Saturday night. And if you are interested in seeing all the talks from each night, IronGeek has just put out a post with two longer videos from each evening.

I again wanted to thank The Shmoo Group and our generous sponsors. Lastly, thanks to our awesome volunteers that made this year’s Firetalks the best so far. Thanks!

• CFP Review: @jack_daniel, Sarah “@dystonic” Clarke, @jasonmoliver, Nathi “@nathiet” Thwala
• Judges: @DaKahuna2007, Rob “@mubix” Fuller, Nicolle “@rogueclown” Neulist, @soapturtle
• Streaming/Recording: @georgiaweidman, Adrian “@irongeek_adc” Crenshaw
• Security: Boris “@JadedSecurity” Sverdlik, Casey “@caseydunham” Dunham, @judykavuo

And finally be sure to check back to the master Firetalks post. It provides the core content as well as quick links to all update blog posts.  Well on to the videos…

“Cracking WiFi Protected Setup For Fun and Profit”

by Craig Heffner

This talk will detail the recently disclosed vulnerability in WiFi Protected Setup which allows wireless attackers to recover plain text WPA/WPA2 pass phrases in just a few hours, as well as my WPS brute force attack tool, Reaver.

“Passive Aggressive Pwnage: Sniffing the Net for Fun & Profit”

by John Sawyer

There has been very little public research into passive fingerprinting over the last few years, and the best and most well-known tool for that (p0f) hasn’t been actively developed in 6 years. While a recent a project is using the clever technique of identifying OS’s through DHCP options, it isn’t looking beyond simple OS identification. Why not? If you’ve ever been responsible for IDS monitoring in a large environment, you know there’s a huge amount of juicy data waiting to be snarfed up–interesting information that could be collected passively to identify vulnerable targets in a pen test. Some commercial solutions have these passive vulnerability detection capabilities already, but it’s never trickled down into the free, open source world.

In this presentation, we will look at some of the data that can be gleaned passively, how it can be used for offensive (and defensive) purposes, and announce a new project designed to use existing open source IDS engines (Snort & Suricata) and IDS rules to enhance penetration tests through passive fingerprinting. The project will utilize existing rules from projects like Emerging Threats, develop new rules to address gaps in detection, and give back to the community by contributing newly developed rules back to similar projects. A focus will be on identifying bleeding edge devices, vulnerable applications, and passively gathering sensitive information (SSNs, CCNs, passwords, etc.).

“Ressurecting Ettercap”

by Eric Milam

In December 2011 Ettercap had its first official release in almost 6 years. This talk will discuss how I went from the creation of a simple bash script to taking over one of the world most loved penetration testing tools. Topics will include, easy-creds, communications with Alor & Naga and the new team charged with moving the project forward.

“Security Onion: Network Security Monitoring in Minutes”

by Doug Burks

Traditional Intrusion Detection Systems (IDS) can be costly, difficult to install, and may not provide all the capabilities that you need to defend your network. Network Security Monitoring (NSM) combines traditional IDS alerts with additional data to give you a more complete picture of what’s happening on your network. This presentation will demonstrate how to deploy NSM in just a few minutes using a free Linux distro called Security Onion.

“Remotely Exploiting the PHY Layer”

by Travis Goodspeed

Packet-in-Packet injections are a new type of in-band signalling attack, one which allows a packet to be injected into a remote wireless network through the body of any other type of packet. The attacker never needs a radio, and no software or hardware bugs are necessary for the injection to occur. The attack works on perfectly standard-compliant implementations of 802.15.4, 802.11B, and most other wireless protocols.

#####

This will be the final ShmooCon 2012 FireTalks post. It’s been a blast! See ya…Today’s post image is brought to you from Wikipedia.org.

Remote Code Execution in PHP 5.3.9

Welcome to the Tenable Network Security Podcast Episode 111

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The "Top Ten Things You Didn't Know About Nessus" videos have been posted from #10 through #3, so be certain to check them out!
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!

New & Notable Plugins Passive Vulnerability Scanner

• Opera < 11.61 Multiple Vulnerabilities
• Google Chrome < 16.0.912.77 Multiple Vulnerabilities

Nessus

• OpenSSL 0.9.8s DTLS Denial of Service
• McAfee Security-as-a-Service (SaaS) mcCIOScn.dll ShowReport Method Remote Command Execution
• WebSphere MQ Client < 6.0.2.7 / 7.0.1.0 Buffer Overflow
• WebSphere MQ Server < 6.0.2.7 / 7.0.1.0 Buffer Overflow
• HP Managed Printing Administration jobDelivery Script Directory Traversal (intrusive check)
• HP Managed Printing Administration < 2.6.4 Multiple Vulnerabilities
• HP Managed Printing Administration Detection

Stories

• New Drive-By Spam Infects Those Who Open Email -- No Attachment Needed - Yet even more reasons to read all of your email in plain text, the way it was intended. Some email clients give you the option, which I really like, so by default it does not load the message in HTML until you tell it to.
• Cisco Security Appliances at risk from Telnet bug - This is the same nasty Telnet bug we talked about a couple of weeks ago, and it is now found to be installed on Ironport email appliances from Cisco.
• Symantec publishes pcAnywhere security recommendations - This is the most bizarre warning from a company I have ever seen: "...it warns against using the remote PC control software at all, since malicious parties could use the source code to identify and exploit security vulnerabilities to compromise PCs that use the program." So wait, if they are hinting towards the fact that their software contains vulnerabilities, why haven't they fixed them? Have they not been looking? Have they not hired people to find problems in their software? Oh and get this: "...the company 'knew there was an incident in 2006,' but that 'it was inconclusive at the time as to whether or not actual code was taken or that someone had actual code in their hands'." I am actually speechless. More information from Wired on this topic. If anti-virus companies can't keep themselves secure, are we all doomed?
• Why Your Company Needs To Hack Itself - The term "hack" is not fully defined here, but let's take that as any action against your organization's systems that will test the security of them. There are, of course, different levels of "hacking." First, and foremost, let's look at what may be the easiest, least impactful, and actionable process out there: Scan all of your systems with Nessus that are externally facing and act on the results. The second part is the more difficult of the two as it invokes people, but you must be constantly identifying vulnerabilities and exposures on your Internet-facing systems. I'm stumped as to why more people are not doing this.
• Hacking Seen as Rising Risk With Car Electronics - Having just bought a new car, I believe this threat is becoming more real. The vehicle emergency system can unlock the doors remotely, identify where the vehicle is located, enable Bluetooth to talk to my phone, and more. The car is becoming more and more like a computer every day, and we as a security community wonder what could happen if we were to start evaluating the security of vehicle systems. Some have, and the results are as expected -- features took priority over security.
• Students busted for hacking computers, changing grades - This is similar to "War Games," but with a twist. Rather than stealing the password by looking at the paper on the desk, the students stole a master key from a janitor and installed keystroke loggers on the computers. Then, they changed the grades and sold test answers to other students. This is not cool. Kids, if you're listening, don't hack into computers at your school without permission as it's not like in the movies, you will be expelled.
• Feds say Megaupload user content could be deleted this week - Just a word of caution, if you store your data in the cloud, make sure you have a backup.
• Shmoocon Demo Shows Easy, Wireless Credit Card Fraud - I watched most of this talk over the live stream, and I just kept thinking that this has been possible for quite some time. I'm a huge fan of Paget's research into RFID, and I am glad to see this is getting attention. There seems to be some protections in place though, such as, only the credit card number being leaked over RFID, and not the person's name, PIN, or CVV number.
• Rootkit has rhythm - "Attackers are embedding specially-crafted MIDI files into web pages which are then opened by Internet Explorer using a plugin from Windows Media Player. The sound of background music covers the MIDI file using the vulnerability to execute shell code which installs a rootkit onto the system." So the big question is: If you were to have theme music to go along with your rootkit, what would it be? (My answer: The Who's "Don't Get Fooled Again")

Download Tenable Network Security Podcast 111 (mp3)

The Guardian tosses a beautifully written review at the Daily Mail over a story called "Rightwingers are less intelligent than left wingers, says study". The Mail's report went on to detail the results of a study carried out by a group of Canadian academics, which appears to show some correlation between low childhood intelligence and rightwing [...]

[[ This is a summary only. Read more at flyingpenguin.com ]]

A faction of the rogue Anonymous movement temporarily disrupted the online presence of several major banks with an onslaught of distributed denial of service (DDoS) attacks.

Among the targets of the group identifying itself as Anonymous Brasil were Citibank and HSBC, as well as multiple South American financial institutions including Banco BMG, Banco Bradesco, Banco Panamericano, Itau Unibanco Banco Multiplo and Febraban.

In denial of service attacks, generally a large amount of information is sent to a web server at such high frequency that it overwhelms the processing capacity or causes the system to shut down and reset altogether.

The net effect is that the server can not longer operate correctly and the targeted website is rendered unusable for its primary purposes, such as for customer interface or sales.

Denial of service attacks attacks are low-tech, and the majority of internet servers are vulnerable to the attack method, which makes the tactic increasingly popular.

The latest attacks come just a few weeks after after multiple DDoS attacks were launched against entertainment industry and US government websites by Anonymous supporters in an operation dubbed "OpMegaupload".

The attacks caused disruptions for several websites, including those operated by the Justice Department, the FBI, the US Copyright Office, Universal Music, BMI, and the RIAA.

OpMegaupload was a response to Justice Department indictments issued against executives at the file sharing website Megaupload.com for copyright infringement and piracy, as well as in general opposition to the Stop Online Piracy Act (SOPA) and the Protect Intellectual Property Act (PIPA) legislative bills currently being considered by Congress.

The crowd-sourced DDoS attacks quickly diminished, but US-CERT subsequently received reports of attacks using emails designed to infect systems by way of malware-laden attachments, and advised government agencies and the private sector to be vigilant against the continued threat of denial of service attacks.

Copyright 2010 Respective Author at Infosec Island

Hacked lawyers who defended Marine over Iraqi deaths

Anonymous has leaked a trove of emails relating to the deaths of 24 Iraqi civilians at Haditha after hacking into a law firm's systems.…