Entries by Sandro Gauci

If you didn't read the latest article by John Markoff, be sure to check it out. The article called Vast Spy System Loots Computers in 103 Countries talks about a web of espoinage that has been going on on various embassies, government and private offices around the world. Most fingers point towards the Chinese and I personally think that this has been coming for quite a while.

What is interesting is that the paper on which the NYTimes article is based, mentions Malta quite a few times. Here's a quote in page 5:

Significantly, close to 30% of the infected computers can be considered high-value and include the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organizations; and an unclassified computer located at NATO headquarters.

On page 43 the authors provided a table which lists the organizations infected, the location and number of infections. On the whole, the Embassies of Malta appear to have had 17 infections! Many other embassies are mentioned, and organizations like Deloitte & Touch in the NY as well.

Posted by Sandro Gauci

One of the things that I do as EnableSecurity is Security Research. Recently I had the opportunity to present my Web Application Firewall research at a local ISACA meeting. The presentation included information about web application attacks, WAFs and attacks on Web Application Firewalls. Additionally, the audience was able to see a demonstration of an attack on one particular Web Application Firewall which was found vulnerable to a security bypass.

The presentation can be downloaded here.

Posted by Sandro Gauci

[Sandro]
Just a quick notice - If anyone's interested in what's going on @ Blackhat Europe, I'm posting quick notes on my twitter account. http://twitter.com/sandrogauci

[Donald]
So we're back from Black Hat and the cold Dutch weather and I must admit that overall the amount of cool stuff that goes on during the conference overwhelmed me. More than the presentations (which hook you in themselves) - it was the people that we met and socialized with in the evenings. Amsterdam city is a great city for the urban runner - a must visit if you enjoy hectic run-arounds. Fine restaurants and lots of good company. On the other hand, if you're a bit like me, I would tend to go for a more relaxed area - nevertheless (I'm not complaining) - I loved it and would definitely jump at the opportunity to go there again next year.

Posted by Sandro Gauci

Our post on PassPack last week attracted quite a bit of attention. We were able to have an interesting discussion over security concerns that have to do with most (and probably all) online password managers. Similar to PassPack there are other services like Clipperz and Just1Key, all of which would be subject to the same concerns that we raised - the basic question of trusting a 3rd party server with your passwords. If you missed out, check out the post to learn about the actual concerns.

One solution that PassPack seem to be seriously considering is the option to license their server technology to 3rd parties. In the case of a company that buys a license and installs PassPack on an internal server, this would shift trust concerns from the service provider (happens to be PassPack) to the company's own systems administrators. This assumes that proper code review is done by whoever is concerned.

We also picked on the One time passwords feature in PassPack, and why it is not a panacea solution to the keyloggers problem. The conclusion was that PassPack needs to clearly inform the users that passwords need to be generated ahead of time. Without doubt, making use of public computers such as the ones found in internet cafe's or kiosks, is a bad idea by itself. There are too many layers which an attacker can target - the computer's memory, the web browser by replacing the logout button with one that does nothing, and so on.

All that said - PassPack has a lot of potential, they put a lot of focus on both the user experience and security. Upcoming features such as being able to share passwords with other users can definitely be useful (although that is a bad practice and should be avoided most of the times).

From our part, we look forward to seeing how PassPack and similar services will change the way we threat our passwords.

Posted by Sandro Gauci

Note: We posted a followup on this.

PassPack is a new service that addresses the ever growing problem of passwords.

PassPack is an online password manager for people who travel or change computers often. Unlike other password managers, PassPack is available 24/7 via internet, nothing to download or install.

Great! Problem solved.

But how do they achieve this?

With AES encryption (the same as used by the US Government) and an SSL Secure Connection, your data travels safely over the internet. But let's suppose a hypothetical "bad-guy" gets into our servers, all he'd find would be a bunch of illegible data (not even PassPack can read your data).

What caught my eye was the part where they state that not even PassPack can read your data, which reminded me of the Hushmail incident. The free secure email service makes claims that:

By using Hushmail, you can be assured that your data will be protected from that kind of broad government surveillance.

Which is simply not the case. In fact later on in their FAQ, Hushmail have a section which explains that they have to comply with the law just like everyone else. Same with PassPack - the encrypted data on their servers cannot be accessed off their servers without the password. The problem is that, if need be, PassPack is able to read your password and then use it to decrypt your information.

So what about the other claims?

Disposable Logins (OTP)

A Disposable Login is a one time Pass and Packing Key combination: you use it once, then it's thrown it away.

Disposable Logins come in handy when traveling and you need to use a public computer.

With Disposable Logins, you can outsmart keyloggers. Even if your disposable Pass and Packing Key were to get "captured", it doesn't matter: they won't work again.

Well - not today's loggers! Nowadays, both commercial and underground/malware keyloggers support screen capturing. This means that if you are in an internet cafe, there always is the chance that not only are your keystokes monitored, but also your all your activity on the computer, including screen captures and mouse clicks.

But it is not all bad - I do like PassPack's idea of tackling the problem of multiple passwords. Some of the features that they offer are also pretty interesting such as the "Anti-Phishing Welcome Message". While this is not nothing new and Yahoo and others have been using such features, it is good to see them more widespread. However, as you might have guessed, I won't be handing out my google, hotmail or amazon passwords to PassPack.

Posted by Sandro Gauci

The new truecrypt supports full disk encryption with preboot authentication - yay for the truecrypt team! Another feature that I have personally been waiting for was Mac OS X support. Since OS X support had been on the to do list for such a long time, thanks to the OS X Crypt guys for showing that it is possible to have Truecrypt for mac

Check out whats new here.

For an instructional video go here.

Posted by Sandro Gauci

This might sound funny, but we're at a stage where you need to protect your AV software. SecurityFocus has published an article on the research done Sergio Alvarez and Thierry Zoller (for N.runs), which concludes that while AV software is protecting clients against malware (running at userspace), the AV software (typically running at kernel level) is itself vulnerable to exploitation.
Best part:

"N.runs plans to release a product to protect against antivirus parsing vulnerabilities, and the contact information at the end of the presentation includes the e-mail address of the company's director of software sales."

.. don't get carried away with the argument that these guys are marketing their software through research. I think that's only appropriate - the problem is real and there's little FUD involved. There's a huge difference between security software and secure software.

The question then is .. will we need protection for the software that protects your AntiVirus?

Posted by Sandro Gauci

Here's a quick roundup of recent security leakages and identity theft news:

• Disc with 15m bank details lost
  
• 11 laptop PCs stolen from Brussels embassy
  
• TOR password leakage was a result of stolen passwords being used on Tor
  
• Doctors fined for loosing confidential patient data
  
• 94 million accounts compromised in the TJX breach
  

And those are just the ones that make news.. a lot of incidents do not.

Posted by Sandro Gauci

Around 45000 MySpace passwords were leaked on the net recently. While it might seem like leaking such passwords is a major security threat, these passwords were already collected by phishing sites and possibly abused by the wrong people. The good thing is that this gives security folks a chance to see how effective or ineffective password policies can be.

The people behind the-interweb.com published an article called A brief analysis of 40,000 leaked MySpace passwords. What is interesting is that MySpace apply a password policy which says that you have to use at least a non-alphabetic character in the password. So from the analysis we get the top 10 passwords - top password being "password1". What we learnt (or already knew):

• Half the passwords start with a dictionary word and have at least one digit/non-alphanumeric after that
  
• The most popular suffix after an alphabetic password is obviously "1", followed by "2" and then "123"
  
• The most popular prefix after an alphabetic password is "1", followed by "123" and then "2"
  
• Most popular password when the non-alphabetic characters are stripped off is "password", followed by "iloveyou" and "love".
  

How does this help us make better security decisions?

A lot of security is based on passwords nowadays, despite being the most abused form of security (or I would argue - lack of). By applying security policies, a password attack will change a little but not much. The chosen passwords in most cases are still the same: "password", "love", and so on, but with an additional character (usually "1") at the end. This means that such passwords are still pretty guessable and can be guessed via a wordlist attack.

So how does the systems administrator make an educated security password policy?

In my opinion, one has to keep in mind the following before setting a password complexity policy:

• Password age
  
• Number of attempts before account lockout
  
• What kind of passwords are going to be common with a given password complexity policy
  

The longer the password age, more at ease end users will be at choosing complex and unique passwords. A shorter password age will make end users think twice before choosing a password that they have to remember for 2 weeks only until the system starts nagging them to change their password again!

Say users are required to include 1 non-alphabetic character in their password, and the account lockout is after 10 attempts. That gives an attacker a high chance of finding users on the system who started their password with the word "password" and included a numeric digit at the end. If, on the other hand, end users are required to use 2 non-alphabetic characters, then that decreases the chance of a password.

Having a blacklist of known common passwords for the specific password complexity policy might be an idea to limit usage of common passwords.

Posted by Sandro Gauci

I just released version 0.2 of SIPVicious tool suite from here.

As a small introduction I put up a screencast of the tools in action.

What is SIPVicious tool suite?

Consists of 4 tools:

• svmap: an active scanner to identify SIP devices on the network
  
• svwar: scans SIP PBX servers for existing extensions
  
• svcrack: an online password cracker against SIP PBX servers
  
• svreport: manages sessions by the other tools + exports to pdf, xml (html), csv and plain text
  

Notable new features include:

• Session support which allows you to resume previous scans as well as store the results in database format
  
• Exporting of previous results to various formats: pdf, xml (html), csv and plain text
  
• Easy updating by making use of subversion (svn update)
  
• Better UI, more intuitive help, clean output and more debug info when needed
  
• And my favorite feature: random scanning techniques
  

Project page:
http://code.google.com/p/sipvicious/

Hope you guys find it useful

Posted by Sandro Gauci

Darkreading has an article about Verus Inc. closing doors. There are many times when security does not seem like a priority and gets ignored. Sensitive data is sent as clear text, firewalls are configured badly and web applications are deployed without any security testing done.

In a way, it's good to see that this doesn't always go unnoticed - especially when it comes to sensitive information such as medical data.

However, in the long run, it might be more important to see why a lot of companies are still not practicing basic security. Is it lack of knowledge (competence etc), or is it simply the case that most of the times implementing security is still seen as an extra?

I personally think its a bit of both.

The solution to the first problem would probably be reputation and elimination - which is what (apparently) happened to Verus Inc. However the second problem might be more tricky. This book might be particularly interesting for those interested in the subject of security and usability. In the end of the day, security needs to be built in and be easily accessible.

And for those interested in the case, if you google around you'll find posts which shed more detail.

Posted by Sandro Gauci

This article sheds some light on what emails such as the one below consist of:

MAKE EXTRA $$$ WORKING FROM HOME! NO SPECIAL SKILLS REQUIRED! EARN HUNDREDS OR THOUSANDS EACH MONTH!

Mafia and terrorist organizations have been using mules for a long while to launder money.

When it comes to the internet, this is how it works:

• Phisher starts spamming people with links to phishing sites to steal bank account info and so on


• At the same some the phisher starts spamming people with these "work from home" emails


• As bank account details start rolling in, the phisher starts moving small fractions of money to other bank customers who have accepted to "work from home" aka mules.


• The mules keep a percentage of the money, send the money to the phisher and eventually get caught


• The phisher gets away with the rest of the money .. and most of the times doesn't get caught


• Not a happy ending

Posted by Sandro Gauci

Cranky Geeks is one of my current favorites Democracy subscriptions. For the latest episode, the host invited Cryptographer Whitfield Diffie and Security Expert Dan Farmer to join the show. It's good to give a face to the people you read about in the books you know

Especially enjoyed it because IMHO Diffie looks a bit like god in his 60's, while Dan Farmer (author of SATAN) looks a bit like the devil. See for yourselves ..

Posted by Sandro Gauci

The 2007 Computer Security Awareness Video Contest have just announced their winners. The videos can be downloaded from their website. My favorites so far are the ones that focus on identity theft - When you least expected it and Identity Theft for Criminals - both have a health amount of humor so thats definitely a plus.

Posted by Sandro Gauci

Posted by Sandro Gauci

A few more random observations (following InfoSec expo):

• As you'll probably notice from the pictures below, the place was packed with vendors and people. This was especially true on the first and second day.
  
• The second day seemed to have more press people than the first day.
  
• There was a lack of giveaways. Unfortunately, we didn't manage to get enough freebies.
  
• Only a few software vendors offer trial versions of their software. A lot of products are not easily reachable - you need to go through a lot of different channels to get an evaluation.
  
• Sourcefire have a nice and useful web interface for Sourcefire 3D System.They seem to be on the right track in trying to provide what the end user wants. But .. its an appliance - so to try it out they need to ship you an evaluation box and then you ship it back to them.
  

Bruce Schneier yesterday published a few comments about Infosec Europe (and RSA): basically sums up to questioning why we need security software and systems, and emphasizing the importance that systems should be secure without the need for security software. On the right is a quick shot that I took of Bruce during the presentation of his paper "The Psychology of Security".

Here are some pictures which we took at InfoSec Europe.

Posted by Sandro Gauci

Well .. we were. By now we're back to Malta .. but this was the original draft of the post:

We spent the past 2 days going through vendors of all sorts at the trade show. A point form summary:

• a lot of vendors are selling appliances
  
• lots of endpoint security vendors - maybe too much
  
• had a chat with Eugine Kaspersky. Nice chap
  
• Been to the Bruce Schneier talk - very interesting
  
• met lots of vendors - quite a few of them had sales people who were quite intrusive
  

Overall I liked the following products:

• Colossus looks like a very good vulnerability assessment product. These guys gave me the impression that they know what they're doing and they're focusing achieving results logically - doing optimizations based on the way that an attacker or penetration tester would think. I really liked the fact that they're not producing huge reports full of recurring things or things that are insignificant. Also - their stand was one of the most neat around there - with just 2 IMacs and everything else being very minimal.
  
• Reflex Security are doing some pretty cool stuff. The UI and reporting work seems just right.. and that's quite an important thing when you're presenting alerts based on IDS signatures and so on.
  

We'll be sure to post a follow up on what went on .. and maybe some photos as well.

Posted by Sandro Gauci

In my previous post, I spoke about how automated systems such as the Norman Sandbox and Anubis are easily blinded with simple environment checks. Christopher Kruegel of Secure Systems Lab of the Vienna University of Technology replied with the following:

"This is definitely a valid concern, and a problem that every dynamic analysis environment faces. actually, we have thought quite a bit about this problem, and we have published a paper that presents a possible solution (it has been accepted at the IEEE Symposium on Security and Privacy, check it out at http://www.seclab.tuwien.ac.at/papers/explore.pdf ). in a nutshell, this paper describes a system that allows us to explore multiple executions paths. to this end, we are trying to locate "interesting" checks that the malware performs (e.g., check for the current directory) and explore both paths (one path when the check succeeds, and the alternative path when the check fails). in the case you described above, the first execution path would yield nothing, while the second path would show the malicious activity (together with the information that the current directory must be the Outlook directory to see this behavior)."

This works by taking snapshots of the executable being run for each decision to be made, running through the code and then restoring that previously stored state in order to follow a different execution path. They were able to do this by creating a Qemu extension which is able to identify the memory mapped for the specific executable being analyzed. This extension is currently works in progress and will be included later on as part of Anubis. Personally, I'm really looking forward for this to become publicly available.

Posted by Sandro Gauci

It's not like the first time that we need to know what an executable binary file actually does. Of course, hardened reverse engineers will launch up their trusty hex editor / disassembler / debugger and spend a few days staring at the code. But for the rest of us, we need answers and we need them quick!

Traditionally one would run an AV scan on the unknown binary file and feel pretty comfortable with running it after nothing turns up. However, experience teaches that this is certainly not fool proof and just the fact that an AV reports nothing doesn't mean that the particular program was written with best intentions.

One way of going around this is to scan with multiple AntiVirus scanners. More often than not, it is not feasible to have a machine which has various AV products ready to scan your possibly malicious (but probably not) binaries. Hence a lot of people make use of services like VirusTotal and Jotti's malware scan. These two services provide a very good solution and will generally satisfy most people's needs.

However if, you have a binary which isn't caught by any AntiVirus vendor - then you might still want to decide for yourself if it is indeed malicious or not. It might not be even something that the AV companies will ever catch. Enter Anubis, Norman Sandbox and CWSandbox. The three of them will give you what a binary does based on how it behaved when ran in a virtualized or sandboxed environment. They will list things like the imported modules, files created or written to, sockets opened and so on.

I'm pretty new to Anubis - but I like the approach. They're making use of a patched version of Qemu internally. If anyone's interested in the internals of this project, they're published here. One problem that I guess is obvious with this approach, is when an executable checks for some property. Newer malware is known to check for signs of a virtual machine. Anubis and others should not have this problem.

But (there always has to be a "but") ... what happens when the executable expects a specific path to run the malicious code? For example, it might check to see if it is running from the Outlook temporary files directory before doing anything malicious. My best guess is that the methods that Anubis and other similar projects use, will fail to detect the malicious code simply because it is never run. Of course, by looking at the Outlook directory check, it can be enough indication that the executable might have malicious code.

Posted by Sandro Gauci

Yesterday I learnt that the Shmoocon videos have been made available online, so my immediate reflex action was:

sandro$ wget -m -A mp4 http://www.shmoocon.org/2007/videos/

Gotta love wget. I watched some of the talks and quite a high percentage of them are high quality - I watched (parts of) the following:

• A hacker looks at 50. G. Mark Hardy goes on and talks and talks about how systems were previously much more obscure, security through obscurity and all that. I started watching this one but quickly got distracted - probably because the Johnny Long talk got downloaded by then.
  
• No-Tech Hacking. In this talk, Johnny Long gives examples of how a "hacker" will look at different scenarios and identify security flaws. How easy it is to mark a DoD person who's supposedly not easy to spot .. and stuff like that. A very enjoyable talk and Johnny Long certainly didn't disappoint here.
• Auditing Cached Credentials with Cachedump. This is a talk by two guys who focus on the problem of cached credentials. Basically this talk did a very good job at highlighting how bad the thing is in the enterprise environment. An ok talk.
• Hacking Digital Cameras. I started watching this one - looks pretty amazing what you can do with dirt cheap cameras and some electronics knowledge. Of course, I quickly lost interest as soon as I noticed that h1kari's talk was downloaded.
• Hacking the Airwaves with FPGAs. This is one damn interesting talk. h1kari demonstrates the impressive speed of cracking WEP, WPA, bluetooth and Mac OS X's FileVault by making use of FPGAs, against cracking them on a good pc. Very sexy stuff! .. and the speaker is pretty relaxed about it all.
  
• Backbone fuzzing. This talk is pretty interesting - Raven goes on to tell the crowd her experiences with fuzzing lower level stuff which is usually critical network infrastructure devices. She's quite cool but I got the impression that she makes use of her boy friends to get her fuzzer coding done.
• Attack Detection and Response with Linux Firewalls. I started watching this talk, but it was getting quite late for me .. and didn't find the talk particularly interesting anyway. Maybe I'll give this talk a chance some other day.. but yesterday I decided it was time to sleep.

I still need to watch Major Malfunction's "RFIdiots" talk - which will probably talk about his python library and experience with RFID stuff being done in the UK / passports and such things. He's a very good speaker and never ceases to impress. So I'm looking forward to that. If you're interested there's 2.7gb of videos here. If you're in .mt area and want a copy feel free to ping me.

Posted by Sandro Gauci