securitybananas.com

At 11:15 AM it was my time to speak on the first day of the BlackHat USa conference in Las Vegas. Earlier this year I spoke about the same topic in Barcelona. I have updated the talk with new slides and added the usage of some new tools I’m using. Around 11:00 AM the room already got filled up and people were standing in the back.

After a short introduction of myself I continued with the presentation. During my talk I saw a lot of people recognize the problems we face during investigations on virtual envirenments for example the jurisdiction problems. At the end of my talk I gave a demo by mounting read-only a VHD file and started to carve data out of it. At the end of the talk I got a lot of good questions and many walked up to introduce themselves and exchanged business cards. MAny thanks to everyone attending my talk and the comments you placed on Twitter.

Slides of my talk: Virtual Forensics partII BHATUSA

To my big surprise I received an invitation for the BlackHAtUSA Microsoft party on Thursday at the Hardrock Hotel. Official statement in the email:The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft products and online services safer by finding and reporting security vulnerabilities. In recognition of your efforts, you are cordially invited to our Microsoft Security Appreciation Reception at Black Hat USA 2010 hosted by the MSRC and Ecosystem Strategy Team (MSRC EcoStrat).

Thanks guys, really an honour and see you there next week!

At day two of the HITB conference in Amsterdam, I decided to go for some hands-on. An interesting lab was offerd by IOactive’s Wes Brown. Wes is a security researcher and malware analyst who has analyzed thousands of samples.
Wes handed over a bootable cd-rom based on QEMU with Malnet 2 for the labs.

Why analyzing Malware? to better understand threats against our networks and to develop countermeasures. Some people analyze malware to create better malware.
Regarding the past it’s now all about exploiting the human. Goal is to get the injection in. Attacking is done through social networks and torrents/p2p.

A good malware analyst needs:
- Mindset: Meticulous data collection–? Logical processes–? Thinks outside the box–? Tenacious
- Technical –? Good systems understanding–? Good understanding of programming–? Some reverse engineering skills – Attitude –? Ties into motivations discussed earlier

We really need to understand the perspective of malware. There are cultural assumptions of what Malware is. We need to flag what it is.

To build a malware lab, a good start is to virtualize it and use Vmware. On the other hand, some malware has a build-in detection for VMware. For Malnet, they decided to use QEMU The cool virtualization tricks are: serial debugging, copy on write, memory imaging and fast reversion of images for analyzing thousands of samples a day.
Using Qemu with Qcow2 block compression and Nlite takes Windows XP and creates a small VM.

Why automate malware analysis?
There are too many samples to analyze manually. Recent days have seen 10,000 executables with unique MD5checksums per day.–? A good malware analyst can only manually analyze a few dozena day at most.Automation ensures consistency of results. –? Consistent results can be stored in database. The Database can be used to search for interesting or relevantmalware to analyze.The analysis can all happen from the database.

Static Forensics Basics
A lot can be determined without ever running the malware sample. This is less costly. Static forensics can be conducted in a matter of seconds. other basics:

• PE File Forensics – Section headers – Entropy of sections can be measured.
• Disassembly of Malware – Distorm, stream disassembler. – IDA Pro in batch mode is better.
• Strings dump of Malware

Unimplemented: Signed Executables
• Looking at the signature, description, and publisher on an executable is a key part of static forensics.
• Malware often masquerades as prominent publisher updates or executables.
• By building a corpus of valid white-listed files, we can use a database to compare samples against.
• For example, if malware masquerades as a DirectX installer; is it signed? What is the publisher, version field?
Do we have valid installers of the same publisher?
• Unimplemented due to no easy native Linux tools to examine this data.
Probably will implement for v1.2 of LiveCD.

Dynamic Forensics Basics

We actually run the malware sample inside a contained environment.
Run inside QEMU VM. – Screenshots – Memory dump. – Copy on write file.
Examine changes: – Registry dump. – Copy on write file. – Network packet capture.

The Malnet 2 cd-rom features some great analysis tools and features:
- screendump commands
- memorydump commands
- snapshot commands
- md5sum support
- pcap network forensic analysis tools like Wireshark, tshark and Chaosreader.pl
- registry dumps
- copy on write files

By using the open source memory forensics tool Volatility, you can dump e.g. the processes/network connections of the running machine when the dump of the system was made.

For running malware in a VM there is a golden rule of five minutes.

After the theory and small demonstraions of Wes, time for hands-on. Really a great session!

Ten crazy Ideas that might actually change the state of information security

1. Process Matters
2. Technology Matters
3. People Matter

The following ten things could change things. Mark claims that it’s no guarantee, but you decide if it is a illusion or vision.

10 mad ideas

#1 adopt the chinese medicine business model – you pay the doctor when you are healthy if you are not healthy the doctor pays you – would be great for a security consultancy company

#2 stop human pattern maching – to be clear computers are good in pattern matching, the human brain not.

#3 Community driven statistical modeling – freerisk case example – how to deduce the quality ofsecurity based on stats. A statitical model based on the past to predict the future of security could be neat.

#4 Teach kids computer security – example HacketyHack

#5 Make developing countries Centers for security excellence

#6 Make hacking a Competitive sport – olympic hacking games?

#7 Connected Information Security Framework

#8 Embrace design driven security – we must embrace the builders AND the breachers

#9 Crowd Source Access Control – someone resets your password on the other side of the world without you knowing that person. This is totaly insane regarding access control.

#10 Adopt agile mindset – the agile manifesto http://agilemanifesto.org new thinking versus old thinking.

‘By embracing constraints you can do the most important half of a job, rather than a half-assed job’ Not many people can define what ‘done’ means. Especially regarding security, not many can tell you when you are done with security. Most security projects deal with a large amount of uncertainty and complexity. The right spot for the Agile mindset. The right way to approach this is to understand and accept it.

WITM?

Where?
Wired World – many LAN are vulnerable to layer 2 attack
Wireless World – 3G

Targets Everywhere: home, trains, bus, bars, hotels, corporate etc.

Example: Thalys
To register your account is just 1 http request with NO-SSL –
Each time you login your l/pwd will be sent through a clear text http channel. Each time you consult a Thalys service, you send the cookie (with your password).

Applications examples:
- Mozilla products – reading emails through TLS/SSL? – No, there might be outbound http-traffic with clear-text channel (default config)

- Apple products If you work with iWork09 or iLife09 you think you work on local documents? No A clear-http text channel is made to Apple.

- Microsoft products – you think you worked to work on local documents with Office 2007? No , a clear-http text channel is made to Microsoft.

ISR-evilgrade – tool to automate attack against many products while they try to update. www.infobyte.com.ar

Many security products upgrade through clear text HTTP channels

Websites:
- Initial page
- Login/password
- Complete session
- Logout link
- SSL ready

Many famous websites (Twitter, Facebook, LinkedIN and Hotmai are not using https for the initial page.

EFF released a plugin for Firefox to use HTTPS everywhere, it’s called https-everywhere.

Remote LAN attack
phase one: own the traffic (DNS/ARP spoofing, DNS cache poisoning)
phase two: inject evil traffic

Handled Devices
- applications installed on phones don’t really use HTTPS; at home this is not a problem, but out on the road it is!

Example: a currencyconverter tool sends data in cleartext back towards in this case the iPhone. Very easy to inject fake data by using a proxy.
MacOSX CFNetwork API – many applications using network capabilities by using this iPhone API.

What if there would be a vulnerability in a low level library shared by thousands of applications.

iPhone 0-day: stack overflow in CFNetwork’s URL handling code. Visiting a malicious crated website may lead to an unexcpected application termination or arbitrary code execution.

What about HTC: 0-day for Opera on HTC devices. FOund a way to crash HTC Opera.

What about Blackberry:
0-day for Hotspot browser on Blackberry

Ipad:
0-day for Safari on the iPad (a demo with the stack overflow was demonstrated) Apple was contacted but didn’t allow for showing the details.

Some solutions against WITM:
- local firewall control against unwanted outbound (unknown) traffic that could be dangerous.
- Avoid dangerous networks/areas
- Use safe communications
- Update the products
- Contact the vendors to switch to SSL

We know for years the mitm issues, but it’s 2010 now and many applications and many devices not handle mitm threats properly. In the underground 0days are traded. Vendors need to pentest and research.

hitb2010ams talk by Fyodor Yarochkin

Underground Hacking forums from former East-Bloc. Fyodor and the Grugq investigated several forums and combined intelligence, personalities en looked at the technology behind: tools of trade and finally the future plans.

Haxor Revolution is 100 percent money driven. Prerequisites: imbalance of eceonomic system, globalization of payment systems, Accessibility and Lwas/Languages/Cold War,……

The revolution targets are average PC users (your mom and dad) but rarely corporations. They exploit vulnerabilities in Client software or using Social engineering.

When they peeked behind the scene, Fyodor and Grugq looked at the market, items and patterns of trade, the personalities and performed a quantified analysis. They digged into the forums and scanned interesting messages related to ‘fraud’. You have to know the slang/lingo to understand where they talk about.

Amusing discoveries about the personalities where not the geeks that are behind this, but students who want to earn some extra bucks. Students from Russia think that outside their border there are only rich countries.

Hacker slang
Fenya – russian prison slang
Anglonims – english loan word
Rhyming slang – sounds like the English word
Direct translation

Where is the money? Extortion, Job recruitment (money mules, drops SMS regs), Services and Goods. Partnerprogams for redirecting visitors towards the criminals’ systems.

Partnerka examples:
- creditcard payment gateways
- partnerships with webmasters and other scum

Parternak partners are payed out for the amounts of redirects or installed software. Currently there is a tutorial available to build your own SMS-scam. There is even a pay-out scheme available for e.g. stolen creditcard numbers including a money-back garantee.

Virtual currencies: Online payment systems for service transactions, Web money, Yandex Money, eGold is almost dead.

Conversion Gateway transfers through a ‘ clean’ account your transactions from virtual currency to real cash.

Goods of trade examples:
- Skype accounts with a month garantee and feed1back system
- iTunes cards (Todo – Chinese auction system)
- Loaders, exploit kits
- Passports (cheapest ones from the Netherlands 9000 euro)
- Complete package (bank-account with limit, credentials, pasport copy of account and SIM-card)

In 5 seconds you will find a valid CC if you know how to search for free creditcards on the forums by using the right slang.

How much to take down Twitter? about 80 US dollar a day.

Tools used to gather intelligence on the forums:
- Nutch – extended with custom indexers; changes to spider behaviour, custom seeders, distributed indexing.
- Python scripts that parse RSS feeds
- GoogleApp engine by using Maltego transforms
- SOLR customized data indexing and search
- Web UI
- Maltego

Future plans:
More usage of visualization tools; process other languages

http://www.0O0.nu/projects/intelligence-collection

http://383rat.appspot.com

Jonathan Brossard – HITBAMS2010

The talk will be about attacking virtual machines, the attack surface, the need for new tools, introducing Virtual 8086 mode and practical fuzzing with vm86.

It’s time to care about virtualization. More than 78 percent of the companies use virtualization for production servers. 98 percent use VMWare.

Virtualization software are so widespread that they have become more atractive targets than say web/dns or mail servers. Jonathan continues with some definitions of virtualization. (e.g. hypervisor type I and II, paravirtualization, hardware assisted virtualization).

Attack surface analysis
What are the risks?

- Privilege escalation on the host – VMware tools hgfs local privilege escalation vulnerability.
- Privilege escalation on the guest – CVE-2009-2267 Mishandled exeption on page vault in VMware
- Attacking other guests
- D0S (Host + Guests)
- Escape to host from guest

Usage:
Owning the Host OS from the `guest is practical: security through virtualization is a failure. Seemingly minor bugs do matter: virtualization amplifies consequences

We need low level attack vectors:
- ioports
- ioctls
But there are problems using these vectors e.g. multiple ports.

Introducing the Virtual 8086 mode – introduced with Intel 386
Support three modes:
- protected mode
- real address mode
- system management mode

Nice thing about real mode = direct acces to hardware via interuptions like back to the 80′s.

Problem is: is this even possible inside a virtual machine?

How to switch to virtual mode? Leaving protected mode?
We don’t need to switch back to real mode/virtual 8086 mode. Most OS’s offer options to run DOS 16 bit applications. The linux kernel offers an emulation of real mode in the form of two syscalls #include vm86.h

In a Nuthshell:
– To switch to Virtual mode is entirely emulated by the kernel
(this will work inside a VM)
- We can still program using old school interruptions
- Those interruptions are delivered to the hardware.

x64 cpus in 64bit long mode cann’t switch to Virtual mode, so fuzzing of Hyper V and ESX will not work. By using kernel patches we can add vm86 capabilities to a x64 GNU/Linux kernel. Practical use is Fuzzing using vm86.

Bugs Jonathan discovered:
- Virtualbox – crash of Hypervisor (Hypervisor bug)
- (guest bugs) in Virtual PC
- Parallels (Apple)

What about x64?
- attacking Microsoft 2008 R2 HyperV (runs only on 64bit CPU/OS)

No exploit was researched yet for these bugs.

Jonathan performed a demo where he runs linux kernel 2.6.31 with an isolation patch. Inside this VM they installed VMware (to simulate host-application). The bug found was sending a wrong ioctl to VMware 7.0.1) to the device driver vmom. Vmom runs under root privilege. This caused a crash.

Dr Anton Chuvakin opens hitbams conference with a keynote about security chasm.

Outline:

What is security today?
How we got here?
Security and/or/=/vs Compliance?
security vs security Does what we do for security today actually improve security?
Where it is all going?

1. There are tow security realities: one cconceptual and fuzzy + another painfully real. And a chasm between them.
2. this is not good – for security and the business
3. what can we do about it

Brief history first…
1950 – 1985 Stick age: Security = door lock
1985 – 1990 Stone age: Security = anti-virus
1990 – 2000 Bronze Age: Security = firewall
2000 – 2005 Iron Age: Security = IDS/IPS
2005 – 2010 Modern Age: Security = Appsec
2010+ Cloud Age: Security = ?

A lot of comanies are still stuck in the Bronze Age. A firewall is enough.

1950 – 1985 Stick Age: Local risks
1985 – 1990 Stone Age: Computer risks
1990 – 2000 Bronze Age: Network risks
2000 – 2010 Iron Age: Regulatory risks
2005 – 2010 Modern Age: Cybercrime risks
2010+ Cloud Age: All of the above risks?

So what are we doing (aka what is security)
- protecting the data ( are we data idiots?)
- defending the network
- guarding the it environment
- reducing risk (what is risk)
These are parts of our daily jobs. But what is the other view what is missing:

Our mission (of security people)is : ‘ We ensure thath organizations runs and wins’. If you don’t do that: then there are some regulatory body (Hipaa, PCI, ISO) would come and beat you and your company up.
Chuvakin outlines about where compliance fears to tread and why compliancy helps securing your data and held people/companies responsible for keeping your data secure.

He observes that companies protecting their own data and that of their customers are leaders. A company who protects his own data but not their customers, is a risk taker. Companies that fail to protect their own data but protect only the customer data are idiots!

Study on seatbelts: Compliancy = (Awareness + Enforcement) /Security Benefit

Chasm first emerges: PCI is too easy; it’s a joke, not security, too hard, 224 control, makes you buy stuff you don’t need etc.

Compliance mystery solved:
Compliance is the ‘ floor’ (motivator) of security however, many prefer to treat it as a ‘ ceiling’ Result: breaches, 0wnage.

How to profit from compliance? Everything you must do for compliance, MUST have security benefit for your organization!

Compliance is not the reason for a chasm, but it made it ……. more visible!

Desktops: banks now assume that online banking client PC is owned
webapplications: not even ‘ luck based strategy’ , but ‘ lazy attacker strategy’ .

if we cede desktops and web, where Do we fight? What is the line of the battle?

Chasm?
Side 1: – aligning strategy with business
– writing policies
– talking risk and doing assessments
– compliance vs security
– inputs
– Trying for Proactive and FAIL
Side 2
– Gathering metrics
– responding to issues
– figuring out risks and implementing controls
– keep the business running
– Output -> inputs
– Focusing on responsive

Which side do you choose to approach security, side 1 or side 2?

Future hold?
- more regulation to compel the laggards
- more threats to challenge the leaders
- less chance to do ‘ intrusion tolerance’
- more obvious FAIL of ‘policy only’ security
- AND – of course! – more clouds

Long term: trend towards chasm closure
however……

Security 2020:
Added dimension to spice thins up…..
- Security FAIL might mean you DIE!

Conclusion HOW TO BRIDGE THE CHASM:
- Is intrusion tolerance the only way? Titanic did have compartments
- Use compliance to drive security – not whine about it
- NEVER conceptualize without doing! (*)
- Chasm exists – but you can start closing it at your organization by always connecting mission with ‘ metal’

Rob is using a metaphore about building a bridge and critical infrastructure getting online. He is talking about cyber tzar, the Obama shut-down-the internet-button. For the time being you are in charge that no big computer breakdowns are happening.