Archive for the ‘Cybersecurity’ Category

Google About to Publicly Drop iPhone Exploit (More Holiday News!)

Friday, December 8th, 2017

The Jailbreaking Community Is Bracing for Google to Publicly Drop an iPhone Exploit by Lorenzo Franceschi-Bicchierai.

From the post:


Because exploits are so valuable, it’s been a long time since we’ve seen a publicly accessible iPhone jailbreak even for older versions of iOS (let alone one in the wild for an up to date iPhone.) But a tweet sent by a Google researcher Wednesday has got the security and jailbreaking communities in a frenzy. The tweet suggests that Google is about to drop an exploit that is a major step toward an iPhone jailbreak, and other researchers say they will be able to take that exploit and turn it into a full jailbreak.

It might seem surprising that an iPhone exploit would be released by Google, Apple’s closest competitor, but the company has a history of doing so, albeit with less hype than this one is garnering.

Ian Beer is a Google Project Zero security researcher, and one of the most prolific iOS bug hunters. Wednesday, he told his followers to keep their “research-only” devices on iOS 11.1.2 because he was about to release “tfp0” soon. (tfp0 stands for “task for pid 0,” or the kernel task port, which gives you control of the core of the operating system.) He also hinted that this is just the first part of more releases to come. iOS 11.1.2 was just patched and updated last week by Apple; it is extremely rare for exploits for recent versions of iOS to be made public.

Another surprise in the offing for the holiday season! See Franceschi-Bicchierai’s post for much speculation and possibilities.

Benefits from a current iPhone Exploit

  • Security researchers obtain better access to research iPhone security issues
  • FBI told by courts to hire local hackers instead of badgering Apple
  • Who carries iPhones? (security clueless public officials)

From improving the lot of security researchers, local employment for hackers and greater exposure of public officials, what’s there to not like?

Looking forward to the drop and security researchers jumping on it like a terrier pack on a rat.

Another Windows Critical Vulnerability (and I forgot to get MS anything)

Friday, December 8th, 2017

Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability by Swati Khandelwal.

From the post:

If your computer is running Microsoft’s Windows operating system, then you need to apply this emergency patch immediately. By immediately, I mean now!

Microsoft has just released an emergency security patch to address a critical remote code execution (RCE) vulnerability in its Malware Protection Engine (MPE) that could allow an attacker to take full control of a victim’s PC.

Enabled by default, Microsoft Malware Protection Engine offers the core cybersecurity capabilities, like scanning, detection, and cleaning, for the company’s antivirus and antimalware programs in all of its products.

According to Microsoft, the vulnerability affects a large number of Microsoft security products, including Windows Defender and Microsoft Security Essentials along with Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016, impacting Windows 7, Windows 8.1, Windows 10, Windows RT 8.1, and Windows Server.

Tracked as CVE-2017-11937, the vulnerability is a memory corruption issue which is triggered when the Malware Protection Engine scans a specially crafted file to check for any potential threat.
… (emphasis in original)

I always feel bad when I read about newly discovered vulnerabilities in Microsoft Windows. Despite MS opening up computers around the world to the idly curious if not the malicious, I haven’t gotten them anything.

I’m sure Munich must be celebrating its plan to switch to Windows 10 for €50m. You wouldn’t think unintended governmental transparency would be that expensive. Munich could save everyone time and trouble by backing up all its files/data to an open S3 bucket on AWS. Thoughts?

Khandelwal also reports Microsoft says that this vulnerability isn’t being used in the wild. Modulo that claim comes from the originator of the vulnerability. If it couldn’t/didn’t recognize the vulnerability in its code, what are the odds of it recognizes its exploit by others? Your call.

See Khandelwal’s post for more details.

Malpedia

Thursday, December 7th, 2017

Malpedia

From the webpage:

Malpedia is a free service offered by Fraunhofer FKIE.

The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research.

Also, please be aware that not all content on Malpedia is publicly available.

More specifically, you will need an account to access all data (malware samples, non-public YARA rules, …).

In this regard, Malpedia is operated as an invite-only trust group.
…(emphasis in original)

You are probably already aware of Malpedia but I wasn’t.

Enjoy!

Security Analyst Summit – #TheSAS2017

Wednesday, December 6th, 2017

Security Analyst Summit – #TheSAS2017

From the webpage:

The Kaspersky Security Analyst Summit (SAS) is a unique annual event connecting anti-malware researchers and developers, global law enforcement agencies and CERTs and members of the security research community.

The summit is one of the best places to learn, debate, share and showcase cutting-edge research, new technologies and discuss ways to improve collaboration in the fight against cyber-crime.

Now you have a chance to get access to the unique videos of the presentations given at #TheSAS2017

Registration required but where are you going to hide from Kaspersky anyway? 😉

I count sixty-three (63) videos.

If you want to start 2018 with a broad overview of security issues, this is one place to start.

Enjoy!

PS: Any favorites?

Champing at the Cyberbit [Shouldn’t that be: Chomping on Cyberbit?]

Wednesday, December 6th, 2017

Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware by Bill Marczak, Geoffrey Alexander, Sarah McKune, John Scott-Railton, and Ron Deibert.

From the post:

Key Findings

  • This report describes how Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware posing as Adobe Flash updates and PDF plugins. Targets include a US-based Ethiopian diaspora media outlet, the Oromia Media Network (OMN), a PhD student, and a lawyer. During the course of our investigation, one of the authors of this report was also targeted.
  • We found a public logfile on the spyware’s command and control server and monitored this logfile over the course of more than a year. We saw the spyware’s operators connecting from Ethiopia, and infected computers connecting from IP addresses in 20 countries, including IP addresses we traced to Eritrean companies and government agencies.
  • Our analysis of the spyware indicates it is a product known as PC Surveillance System (PSS), a commercial spyware product with a novel exploit-free architecture. PSS is offered by Cyberbit — an Israel-based cyber security company that is a wholly-owned subsidiary of Elbit Systems — and marketed to intelligence and law enforcement agencies.
  • We conducted Internet scanning to find other servers associated with PSS and found several servers that appear to be operated by Cyberbit themselves. The public logfiles on these servers seem to have tracked Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of PSS to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.

Detailed research and reporting, the like of which is absent in reporting about election year “hacks” in the United States.

Despite the excellence of reporting in this post, I find it disappointing that Citizen Lab sees this as an occasion for raising legal and regulatory issues. Especially in light of the last substantive paragraph noting:

As we explore in a separate analysis, while lawful access and intercept tools have legitimate uses, the significant insecurities and illegitimate targeting we have documented that arise from their abuse cannot be ignored. In the absence of stronger norms and incentives to induce state restraint, as well as more robust regulation of spyware companies, we expect that authoritarian and other politically corrupt leaders will continue to obtain and use spyware to covertly surveil and invisibly sabotage the individuals and institutions that hold them to account.

Exposing the abuse of peaceful citizens by their governments is a powerful tool but for me, it falls far short of holding them to account. I have always thought of being “held to account” meant there were negative consequences associated with undesirable behavior.

Do you know of any examples of governments holding Cyberbit or similar entities accountable?

I am aware that the U.S. Congress has from time to time passed legislation “regulating the CIA” and other agencies, all of which was ignored by the regulated agencies. That doesn’t sound like accountability to me.

You?

PS: Despite my disagreement on the call for action, this is a great example of how to provide credible details about malicious cyberactivity. Would that members of the IC would read it and take it to heart.

INFILTRATE 2018 – Vote on Papers – Closes 14 December 2017

Wednesday, December 6th, 2017

INFILTRATE 2018 – OPEN CFP

Cast your vote for the talks you want to see at INFILTRATE 2018.

As of today, 6 December 2017, I count 26 presentations.

The titles alone are enough to sell the conference:

  1. Energy Larceny-Breaking into a solar power plant
  2. Chainspotting: Building Exploit Chains with Logic Bugs
  3. Back To The Future – Going Back In Time To Abuse Android's JIT
  4. Windows Offender: Attacking The Windows Defender Emulator
  5. Bypassing Mitigations by Attacking JIT Server in Microsoft Edge
  6. A year of inadvertent macOS bugs
  7. L'art de l’Évasion: Modern VMWare Exploitation techniques
  8. Unboxing your VirtualBoxes: A close look at a desktop hypervisor
  9. Fuzzing the ‘Unfuzzable’
  10. How to become a Penetration tester – an attempt to guide the next generation of hackers
  11. Parasite OS
  12. Detecting Reverse Engineering with Canaries
  13. Discovering & exploiting a Cisco ASA pre-auth RCE vulnerability
  14. Synthetic Reality; Breaking macOS One Click at a Time
  15. Dissecting QNX – Analyzing & Breaking QNX Exploit Mitigations and Secure Random Number Generators
  16. Malware​ ​ tradecrafts​ ​ and nasty​ ​ secrets​ ​ of​ ​ evading​ ​ to escalating
  17. Sandbox evasion using VBA Referencing
  18. Exploits in Wetware
  19. How to escalate privileges to SYSTEM in Windows 10
  20. Pack your Android: Everything you need to know about Android Boxing
  21. How to hide your browser 0-days
  22. So you think IoT DDoS botnets are dangerous – Bypassing ISP and Enterprise Anti-DDoS with 90's techn
  23. Making love to Enterprise Software
  24. I Did it Thrawn’s Way- Spiels and the Symbiosis of Red Teaming & Threat Intelligence Analysis
  25. Digital Vengeance: Exploiting Notorious C&C Toolkits
  26. Advanced Social Engineering and OSINT for Penetration Testing

Another example of open sharing as opposed to the hoard and privilege approach of the defensive cybersecurity community. White hats are fortunate to only be a decade behind. Consider it the paranoia penalty. Fear of sharing knowledge harms you more than anyone else.

Speaking of sharing, the archives for INFILTRATE 2011 through INFILTRATE 2017 are online.

May not be true for any particular exploit, but given the lagging nature of cyberdefense, not to mention shoddy patch application, any technique less than ten years old is likely still viable. Remember SQL injection turned 17 this year and remains the #1 threat to websites.

Vote on your favorite papers for INFILTRATE 2018 – OPEN CFP
and let’s see some great tweet coverage for the conference!

INFILTRATE Security Conference, April 26 & 27 2018, @Fountainbleau Hotel

INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Groundbreaking researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere. INFILTRATE is the single-most important event for those who are focused on the technical aspects of offensive security issues, for example, computer and network exploitation, vulnerability discovery, and rootkit and trojan covert protocols. INFILTRATE eschews policy and high-level presentations in favor of just hard-core thought-provoking technical meat.

Registration: infiltrate@immunityincdotcom

Twitter: @InfiltrateCon.

Enjoy!

Tabula: Extracting A Hit (sorry) Security List From PDF Report

Tuesday, December 5th, 2017

Benchmarking U.S. Government Websites by Daniel Castro, Galia Nurko, and Alan McQuinn, provides a quick assessment of 468 of the most popular federal websites for “…page-load speed, mobile friendliness, security, and accessibility.”

Unfortunately, it has an ugly table layout:

Double column listings with the same headers?

There are 476 results on Stackoverflow this morning for extracting tables from PDF.

However, I need a cup of coffee, maybe two cups of coffee answer to extracting data from these tables.

Enter Tabula.

If you’ve ever tried to do anything with data provided to you in PDFs, you know how painful it is — there’s no easy way to copy-and-paste rows of data out of PDF files. Tabula allows you to extract that data into a CSV or Microsoft Excel spreadsheet using a simple, easy-to-use interface. Tabula works on Mac, Windows and Linux.

Tabula is download, extract, start and point your web browser to http://localhost:8080 (or http://127.0.0.1:8080), load your PDF file, select the table, export the content, easy to use.

I tried selecting the columns separately (one page at a time) but then used table recognition and selected the entirety of Table 6 (security evaluation). I don’t think it made any difference in the errors I was seeing in the result (dropping first letter of site domains, but check with your data.)

Warning: For some unknown reason, possibly a defect in the PDF and/or Tabula, the leading character from the second domain field was dropped on some entries. Not all, not consistently, but it was dropped. Not to mention missing the last line of entries on a couple of pages. Proofing is required!

Not to mention there were other recognition issues

Capture wasn’t perfect due to underlying differences in the PDF:

cancer.gov,100,901,fdic.gov,100,"3,284"
weather.gov,100,904,blm.gov,100,"3,307"
transportation.gov,,,100,,,"3,340",,,ecreation.gov,,,100,,,"9,012",
"regulations.gov1003,390data.gov1009,103",,,,,,,,,,,,,,,,
nga.gov,,,100,,,"3,462",,,irstgov.gov,,,100,,,"9,112",
"nrel.gov1003,623nationalservice.gov1009,127",,,,,,,,,,,,,,,,
hrsa.gov,,,100,,,"3,635",,,topbullying.gov,,,100,,,"9,285",
"consumerfinance.gov1004,144section508.gov1009,391",,,,,,,,,,,,,,,,

With proofing, we are way beyond two cups of coffee but once proofed, I tossed it into Calc and produced a single column CSV file: 2017-Benchmarking-US-Government-Websites-Security-Table-6.csv.

Enjoy!

PS: I discovered a LibreOffice Calc “gotcha” in this exercise. If you select a column for the top and attempt to paste it under an existing column (same or different spreadsheet), you get the error message: “There is not enough room on the sheet to insert here.”

When you select a column from the top, it copies all the blank cells in that column so there truly isn’t sufficient space to paste it under another column. Tip: Always copy columns in Calc from the bottom of the column up.

Finding Interesting Amazon S3 Buckets

Monday, December 4th, 2017

Bucket Stream

From the webpage:

This tool simply listens to various certificate transparency logs (via certstream) and attempts to find public S3 buckets from permutations of the certificates domain name.

(graphic omitted)

Be responsible. I mainly created this tool to highlight the risks associated with public S3 buckets and to put a different spin on the usual dictionary based attacks.
… (emphasis in original)

If you find the March of Dimes or the International Federation of the Red Cross and Red Crescent with an insecure Amazon S3 bucket, take the author’s advice and report it.

If asked about Amazon S3 buckets belonging to groups, organizations and governments actively seeking to harm others, I would answer differently.

You?

Will 2018 Be Your First Penetration? [Possession of SANS Posters]

Thursday, November 30th, 2017

Blueprint: Building A Better Pen Tester Tuesday, January 9th, 2018 at 1:00 PM EST (18:00:00 UTC).

From the post:

Register for this webcast and have (4) printed copies of the *new* SANS Pen Test Poster “Blueprint: Building A Better Pen Tester” mailed to the address on your SANS Portal Account. Don’t have an account? Register today and then join Ed Skoudis, on January 9th at 1pm EST, as he dives into all the tips available on the poster so you’ll know how use it to become a better pen tester. If you’re not a pen tester, this webcast will help you learn many helpful tips to make you a better information security professional and bring additional value and tradecraft to your organization.

Posters will be mailed after the webcast in January 2018.
… (emphasis in original)

It’s never clear if “pen tester” is tongue in cheek or not. Perhaps the ambiguity is intentional.

Either I or Gimp failed to enlarge the posters sufficiently to produce readable text. But, given the reputation of SANS, it’s a nice way to start the new year.

Is possession of SANS posters considered evidence of illegal activity? Any court cases you can cite?

The Motherboard Guide to Avoiding State Surveillance [Where’s Your Security Cheat Sheet?]

Wednesday, November 29th, 2017

The Motherboard Guide to Avoiding State Surveillance by Sarah Jeong.

From the post:

In the wake of September 11th, the United States built out a massive surveillance apparatus, undermined constitutional protections, and limited possible recourse to the legal system.

Given the extraordinary capabilities of state surveillance in the US—as well as the capabilities of governments around the world—you might be feeling a little paranoid! It’s not just the NSA—the FBI and even local cops have more tools at their disposal to snoop on people than ever before. And there is a terrifying breadth of passive and unexpected surveillance to worry about: Your social media accounts can be subpoenaed, your emails or calls can be scooped up in bulk collection efforts, and your cell phone metadata can be captured by Stingrays and IMSI catchers meant to target someone else.

Remember, anti-surveillance is not the cure, it’s just one thing you can do to protect yourself and others. You probably aren’t the most at-risk person, but that doesn’t mean you shouldn’t practice better security. Surveillance is a complicated thing: You can practice the best security in the world, but if you’re sending messages to someone who doesn’t, you can still be spied on through their device or through their communications with other people (if they discuss the information you told them, for instance).

That’s why it’s important that we normalize good security practices: If you don’t have that much to be afraid of, it’s all the more important for you to pick up some of these tools, because doing that will normalize the actions of your friends who are, say, undocumented immigrants, or engaged in activism. Trump’s CIA Director thinks that using encryption “may itself be a red flag.” If you have “nothing to hide,” your use of encryption can actually help people at risk by obfuscating that red flag. By following this guide, you are making someone else safer. Think of it as herd immunity. The more people practice good security, the safer everyone else is.

The security tips provided earlier in this guide still apply: If you can protect yourself from getting hacked, you will have a better shot at preventing yourself from being surveilled (when it comes to surveilling iPhones, for instance governments often have few options besides hacking the devices). But tech tools don’t solve all problems. Governments have a weapon in their hands that criminal hackers do not: the power of the law. Many of the tips in this section of the guide will help you not only against legal requests and government hacking, but also against anyone else who may be trying to spy on you.

You don’t have to turn yourself into a security expert. Just start thinking about your risks, and don’t be intimidated by the technology. Security is an ongoing process of learning. Both the threats and the tools developed to address them are constantly changing, which is one of the reasons why privacy and security advice can often seem fickle and contradictory. But the tips below are a good starting point.

Jeong writes a great post but like most of you, what I need is a security cheat sheet so I start off everyday with the same standard security practices.

Read Jeong’s post but think about creating a personalized security cheat sheet that requires your initials at the start of each day and note any security fails on your part for that day.

At the end of each week, review your security fails for patterns and/or improvements.

What’s on your security cheat sheet?

How Email Really Works

Wednesday, November 29th, 2017

There’s truth to both!

HT: @oxpss

Why Study ARM Exploitation? 100 Billion Chips Shipped, 1 Trillion Projected in 20 Years.

Monday, November 27th, 2017

Getting Started With ARM Exploitation by Azeria.

From the post:

Since I published the tutorial series on ARM Assembly Basics, people keep asking me how to get started with exploitation on ARM. Since then, I added some tutorials on how to write ARM Shellcode, an introduction to Memory Corruptions, a detailed guide on how to set up your own ARM lab environment, and some small intro to debugging with GDB. Now it’s time we get to the meat of things and use all this knowledge to start exploiting some binaries.

This first part is aimed at those of you who have no experience with reverse engineering or exploiting ARM binaries. These challenges are relatively easy and are meant to introduce a few core concepts of binary exploitation.

Why Study ARM Exploitation?

Can you name another attack surface that large?

No?

Suggest you follow Azeria and her tutorials. Today.

What do you mean, “We?”

Monday, November 20th, 2017

Prasad Ajgaonkar reports in 94pc of cyber attacks are caused by lack of infosecurity awareness training. Is your organisation safe?:

Do you know that a cyber attack takes place every 10 minutes in India? This rate is higher than that in 2016, where a cyber attack took place once every 12 minutes. A study conducted by Fortinet found that a whopping 94 percent of IT experts believe that information security (InfoSec) practices in Indian organizations are sorely inadequate and completely fail to protect from cyber attacks in today’s world.

It is crucial to be aware that the exorbitantly high cyber attacks in India is a human issue, rather than an IT issue. This means that employees failing to follow InfoSec practices- rather than IT system failures- is the biggest contributor of cyber attacks.

Therefore, it is critical to ensure that all employees at an organisation are vigilant, fully aware of cyber-threats, and trained to follow InfoSec practices at all times.

Focusing on the lack of training for employees, the post suggests this solution:

Story-telling and scenario based training would be an excellent and highly effective way to ensure that employees consistently practice InfoSec measures. An effective InfoSec training programme has the following features:

  1. Educating employees through story-telling and interactive media – …
  2. Continuous top of the mind recall – …
  3. Presenting InfoSec tips, trivia and reminders to employees through mobile phone apps…
  4. Training through scenario-based assessments – …
  5. Training through group discussions – …

I have a simpler explanation for poor cybersecurity practices of employees in India.

The Hindu captured it in one headline: India Inc pay gap: CEOs earn up to 1,200-times of average staff

Many thought the American pay gap at CEOs make 271 times the pay of most workers was bad.

Try almost four (4) times the American CEO – worker pay gap.

How much commonality of interest exists between the worker who gets $1 and for every $1, their CEO gets $1,200?

Conventional training, excluding the use of drugs and/or physical torture, isn’t likely to create a commonality of interest. Yes?

Cybersecurity “solutions” that don’t address the worker to CEO wage gap, are castles made of sand.

Are You A Member of the 300+ Mile High Club? 1,738 Satellite Targets

Thursday, November 16th, 2017

UCS Satellite Database – In-depth details on the 1,738 satellites currently orbiting Earth.

From the post:

Assembled by experts at the Union of Concerned Scientists (UCS), the Satellite Database is a listing of the more than 1000 operational satellites currently in orbit around Earth.

Our intent in producing the database is to create a research tool for specialists and non-specialists alike by collecting open-source information on operational satellites and presenting it in a format that can be easily manipulated for research and analysis.

It is available as both a downloadable Excel file and in a tab-delimited text format. A version is also provided in which the “Name” column contains only the official name of the satellite in the case of government and military satellites, and the most commonly used name in the case of commercial and civil satellites.

Satellites are much easier targets than undersea cables. Specialized equipment required for both, but undersea cables also require a submarine while satellites only a line of sight. Much easier to arrange.

With a high quality antenna and electronic gear, the sky is alive with targets. For extra points, install your antenna remote to you and use an encrypted channel to control and receive data. (Makes you less obvious than several satellite dishes in the back yard.)

PS: Follow the USC Satellite DB on Twitter. Plus, the Union of Concerned Scientists.

Going Among Capitalists? Don’t Forget Your S8 USB Cable!

Wednesday, November 15th, 2017

Teardown of a consumer voice/location cellular spying device that fits in the tip of a USB cable by Cory Doctorow.

From the post:

Mich from ha.cking bought a $25 “S8 data line locator” device — a cellular spying tool, disguised as a USB cable and marketed to the general public — and did a teardown of the gadget, offering a glimpse into the world of “trickle down surveillance” where the kinds of surveillance tools used by the NSA are turned into products and sold to randos over the internet for $25.

The S8 makes use of the GSM cellular network and takes a regular micro-SIM, and can use any of the international GSM bands. You communicate with it by sending it SMSes or by using a web front-end, which causes it to switch on a hidden mic so you can listen in on its surroundings; it can also give a coarse approximation of its location (based on GSM towers, not GPS, and accurate to within about 1.57km).

For all the technical details see: Inside a low budget consumer hardware espionage implant by mich @0x6d696368by.

In some legal jurisdictions use of this cable may be construed as a crime. But, as US torture of prisoners, NSA surveillance, and numerous other crimes by US operatives demonstrates, prosecution of crimes is at the whim and caprice of prosecutors.

Calling something a “crime” is pejorative labeling for media purposes, unless you are a prosecutor deciding on prosecution. Otherwise, it’s just labeling.

From Forever Vulnerable (aka Microsoft) – Seventeen Years of Vulnerability

Wednesday, November 15th, 2017

A seventeen year old vulnerability was patched in the Microsoft Equation Editor yesterday.

For a semi-technical overview, see Office Equation Editor Security Bug Runs Malicious Code Without User Interaction by Catalin Cimpanu.

For all the details and a back story useful for finding vulnerabilities, see: Skeleton in the closet. MS Office vulnerability you didn’t know about by Embedi.

Walking through the steps in the post to “re-discover” this vulnerability is good exercise.

It’s not the fault of Microsoft that its users fail to patch/upgrade Microsoft products. That being said, CVE-2017-11882, with a seventeen year range, should be added to your evergreen list of Microsoft vulnerabilities.

Call For Cyber Weapons (Arsenal at Black Hat Asia 2018)

Wednesday, November 15th, 2017

Welcome to Arsenal at Black Hat Asia 2018 – Call for Tools Open

Deadline: January 10 at 23:59 Pacific

From the webpage:

The Black Hat Arsenal team will be back in Singapore with the very same goal: give hackers & security researchers the opportunity to demo their newest and latest code.

The Arsenal tool demo area is dedicated to researchers and the open source community. The concept is quite simple: we provide the space and you bring your machine to showcase your work and answer questions from delegates attending Black Hat.

Once again, the ToolsWatch (@toolswatch) team will work in conjunction with Black Hat for the special event Black Hat Arsenal Asia 2018.

The 16th session will be held at the Marina Bay Sands in Singapore from March 22-March 23, 2018.

The same rules to consider before applying to Arsenal:

  • Bring your computer (with VGA output), adapter, your tool, your stickers
  • Avoid stodgy presentations. Folks are expecting action, so give’em action.
  • No vendor pitches or gear!
  • Be yourself, be cool, and wear a smile.
  • Hug the folks at Arsenal :)
  • Above all, have tremendous fun!!

For any questions, contact blackhatarsenal@ubm.com.

*Please note: You may use the plaint text “Upload File” section if you wish to include whitepapers or research; however, this field is optional and not required.

Not as much advance notice as you have for Balisage 2018 but surely you are building new tools on a regular basis!

As you have learned from tools written by others, come to Arsenal at Black Hat Asia 2018 and enable others to learn from you.

Terminology: I say “weapons” instead of “tools” to highlight the lack of any “us” when it comes to cybersecurity.

Governments and corporations have an interest in personal privacy and security only when it furthers their agendas and none when it doesn’t.

Making governments and corporations more secure isn’t in my interest. Is it in yours? (Governments have declared their lack of interest in your privacy and security by their actions. Nothing more need be said.)

Hackers! 90% of Federal IT Managers Aiming for Their Own Feet!

Tuesday, November 14th, 2017

The Federal Cyber AI IQ Test November 14, 2017 reports:


Most Powerful Applications:

  • 90% of Feds say AI could help prepare agencies for real-world cyber attack scenarios and 87% say it would improve the efficiency of the Federal cyber security workforce
  • 91% say their agency could utilize AI to monitor human activity and deter insider threats, including detecting suspicious elements and large amounts of data being downloaded, and analyzing risky user behavior
  • (emphasis in original)

One sure conclusion from this report, 90% of Feds don’t know AIs mistake turtles for rifles, 90% of the time. The adversarial example literature is full of such cases and getting more robust by the day.

The trap federal IT managers have fallen into is a familiar one. To solve an entirely human problem, a shortage of qualified labor, they want mechanize the required task, even if it means a lower qualify end result. Human problems are solved poorly, if at all, by mechanized solutions.

Opposed by lowest common denominator AI systems, hackers will be all but running the mints as cybersecurity AI systems spread across the federal government. “Ghost” federal installations will appear on agency records for confirmation of FedEx/UPS shipments. The possibilities are endless.

If you are a state or local government or even a federal IT manager, letting hackers run wild isn’t a foregone conclusion.

You could pattern your compensation packages after West Coast start-ups, along with similar perks. Expensive but do you want an OMB type data leak on your record?

Azeria-Labs VM – Naked Ubuntu VM w/ emulated ARMv6l

Sunday, November 12th, 2017

Azeria-Labs VM – Naked Ubuntu VM w/ emulated ARMv6l by Azeria.

From the webpage:

Let me guess, you don’t want to bother with any of this and just want a ready-made Ubuntu VM with all QEMU stuff setup and ready-to-play. Very well. The first Azeria-Labs VM is ready. It’s a naked Ubuntu VM containing an emulated ARMv6l.

This VM is also for those of you who tried emulating ARM with QEMU but got stuck for inexplicable linux reasons. I understand the struggle, trust me.

It’s Sunday evening here and I have conference calls tomorrow. 🙁

Still, I wanted to pass on the news about the Azeria-Labs VM and Azeria’s pointer to “ARM” challenges at Root Me.

Enjoy!

Beginner’s Guide to Exploitation on ARM

Sunday, November 12th, 2017

Beginner’s Guide to Exploitation on ARM by Billy Ellis.

From the website:

‘Beginner’s Guide to Exploitation on ARM’ is a beginner-friendly book aimed at individuals who are interested in learning the core concepts behind software vulnerability analysis & exploit development.

It explains everything from the basics of the ARM architecture to the various methods of exploitation used to take advantage of memory corruption vulnerabilities within modern systems today, using diagrams and example applications along the way to ensure that each chapter is easy to follow!

Judging from the rave reviews on Twitter and other forums, the time to order is now!

We’re all expecting relatives for the holiday season, at least in the US and Europe, so why not treat yourself to some reading material?

I will be posting more on this book after it arrives.

Enjoy!

WiMonitor – Hacker Arsenal, Design Suggestions

Sunday, November 12th, 2017

WiMonitor

From the webpage:

WiMonitor makes Wi-Fi packet sniffing and network monitoring dead simple!

Once configured the device automatically scans channels 1-13 in the 2.4GHz band, captures packets and sends them to a remote IP address over Ethernet for further processing. The encapsulation is compatible with Wireshark so you can analyze Wi-Fi traffic using it.

More information on how to get started: Getting Started Guide.

Design Suggestions:

I’m not the artistic type but I do have a couple of suggestions for the housing of the WiMonitor.

Stock image from website:

Right, let’s make the case a bright white, use “Hacker Arsenal” with a bright graphic on top surface, have labels for Wan/Lan and USB (those are hard to recognize) and of course, a power light to attract attention.

Sigh. I guess it go well with your standard working shirt:

Those c-suite types won’t notice you at all. Completely invisible.

If you strive to be a little less noticeable, ask Hacker Arsenal for a little less obvious WiMonitor. Something along these lines:

First, a black case, lose the cover as well:

(Yes, I need to work on my graphic editing skills. 😉 )

Second, make an internal USB connection sufficient for 256GB USB thumb drive, battery for power and lose the power light.

Make it drop and retrieve ready.

Now that would be a hot package!

Hacking 90% of the Commercial Air Fleet

Sunday, November 12th, 2017

Short notice for the holiday travel season but 90% of the commercial air fleet can be hacked without insider or physical access.

Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, DHS Says by Calvin Biesecker.

While the research is classified (making this a CTF type problem), Biesecker reports these broad hints:


“[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.” Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft’s systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, “you can come to grips pretty quickly where we went” on the aircraft.

The aircraft that DHS is using for its tests is a legacy Boeing 757 commercial plane purchased by the S&T branch. After his speech at the CyberSat Summit, Hickey told Avionics sister publication Defense Daily that the testing is with the aircraft on the ground at the airport in Atlantic City, New Jersey. The initial response from experts was, “’We’ve known that for years,’” and, “It’s not a big deal,” Hickey said.

But in March 2017, at a technical exchange meeting, he said seven airline pilot captains from American Airlines and Delta Air Lines in the room had no clue.

“All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible,’” Hickey said.

Terminology for researching this issue can be found in Boeing 757 Operations Manual Volume 2, sections 5.40.1 and 5.50.1. Hardware for testing your hack can be found at one or more aircraft boneyards. Or you can always purchase new systems and advice.

No need to rush for fear of patching:

…Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said.

The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems on board 737s, he said, adding that other airlines that fly 737s would also see their earnings hurt. Hickey said newer models of 737s and other aircraft, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have these protections.

Aircraft also represent different challenges for cybersecurity and traditional land-based networks, Hickey said. He said that whether it’s the U.S. Air Force or the commercial sector, there are no maintenance crews that can deal with ferreting out cyber threats aboard an aircraft.

No one checking for vulnerabilities and if discovered too expensive to fix?

Sounds like a hacker’s wet dream.

Have Orwell‘s pigs built their palaces out of straw?

PS: The meaning of “hack” when used by the DHS isn’t clear. It could mean bad temperature or location information, up to and including interference with flight control systems (highly unlikely). Interference with flight control systems is more likely to be a feature of the F-35.

Antivirus Engines Have Design Flaws?

Sunday, November 12th, 2017

Antivirus Engine Design Flaw Helps Malware Sink Its Teeth Into Your System by Catalin Cimpanu.

Cimpanu routs the chest beating of antivirus vendors with this report on a design flaw common to Windows antivirus products. Code named AVGater by its discoverer, Florian Bogner, who also created a colorful logo for the vulnerability:

(Source: #AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine by Florian Bogner)

Cimpanu gives a high level summary and Bogner more details to support further investigation of this design flaw. An incomplete list of impacted vendors: Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Ikarus, and Zone Alarm by Check Point.

So the answer is yes, antivirus engines do have design, and other, flaws.

Antivirus and other security software, increase the available attack surface for discovery of flaws and vulnerabilities.

If your antivirus or security software vendor denies increasing your attack surface, best you consider another vendor.

New Maltese Investigative News Website – Security Suggestions

Friday, November 10th, 2017

Three Experienced Maltese Journalists Open Investigative News Website by Tim Diacono.

From the post:


“The vile execution of journalist Daphne Caruana Galizia is a wakeup call for civic action, to stop the greed and the rot and to assert the power of the pen over the might of criminals who want us to remain silent as they pile up their profits,” the journalists wrote in their first editorial. “It was nothing short of a declaration of war on our serenity and freedom to stand up to be counted.”

“We have come together to create The Shift months ago thinking that there could not have been a better time for a nonpartisan voice with a clear agenda for good governance, which speaks its truth to power respectfully but firmly, keeping a distance from economic and partisan agendas. We never could have anticipated that our country would descend into this nightmare,” they added.

“We have decided to take the plunge now because we also want to contribute to the civic awakening which followed the brutal elimination of a journalist who spoke her truths to power. We do not seek to step in Daphne Caruana Galizia’s shoes and our style and approach is very different. But we promise to honour the best part of her legacy, that of being a thorn in the side… of whoever is in power.”

To the extent The Shift can be “…a thorn in the side… of whoever is in power,” I’m all for it.

On the other hand, the organizers of The Shift should consider working with an umbrella organization that provides basic security.

The Shift organizers should retain their independence but among the more glaring flaws of their current site:

  1. http:// instead of https://
  2. No PGP key for encrypted email
  3. No secure drop box for leaks
  4. No advice on secure contacts
  5. Contact form requires name and email?
  6. … others I’m sure…

The Global Investigative Journalism Network (GIJN) maintains a great list of Digital Security resources.

Even if someone else in your organization is tasked with digital security, have a nodding acquaintance with the GIJN resources and revisit them on a regular basis.

Don’t be a passive consumer of security services.

Passive consumers of security services are also known as “victims.”

Introduction To ARM Assembly Basics [The Weakest Link?]

Friday, November 10th, 2017

Introduction To ARM Assembly Basics

The latest security fails by Intel and Microsoft capture media and blog headlines but ARM devices are more numerous.

ARM devices, like a Windows server in an unlocked closet, may be the weakest link in your next target.

From the webpage:

Welcome to this tutorial series on ARM assembly basics. This is the preparation for the followup tutorial series on ARM exploit development. Before we can dive into creating ARM shellcode and build ROP chains, we need to cover some ARM Assembly basics first.

The following topics will be covered step by step:

ARM Assembly Basics Tutorial Series:
Part 1: Introduction to ARM Assembly
Part 2: Data Types Registers
Part 3: ARM Instruction Set
Part 4: Memory Instructions: Loading and Storing Data
Part 5: Load and Store Multiple
Part 6: Conditional Execution and Branching
Part 7: Stack and Functions

To follow along with the examples, you will need an ARM based lab environment. If you don’t have an ARM device (like Raspberry Pi), you can set up your own lab environment in a Virtual Machine using QEMU and the Raspberry Pi distro by following this tutorial. If you are not familiar with basic debugging with GDB, you can get the basics in this tutorial. In this tutorial, the focus will be on ARM 32-bit, and the examples are compiled on an ARMv6.

Why ARM?

This tutorial is generally for people who want to learn the basics of ARM assembly. Especially for those of you who are interested in exploit writing on the ARM platform. You might have already noticed that ARM processors are everywhere around you. When I look around me, I can count far more devices that feature an ARM processor in my house than Intel processors. This includes phones, routers, and not to forget the IoT devices that seem to explode in sales these days. That said, the ARM processor has become one of the most widespread CPU cores in the world. Which brings us to the fact that like PCs, IoT devices are susceptible to improper input validation abuse such as buffer overflows. Given the widespread usage of ARM based devices and the potential for misuse, attacks on these devices have become much more common.

Yet, we have more experts specialized in x86 security research than we have for ARM, although ARM assembly language is perhaps the easiest assembly language in widespread use. So, why aren’t more people focusing on ARM? Perhaps because there are more learning resources out there covering exploitation on Intel than there are for ARM. Just think about the great tutorials on Intel x86 Exploit writing by Fuzzy Security or the Corelan Team – Guidelines like these help people interested in this specific area to get practical knowledge and the inspiration to learn beyond what is covered in those tutorials. If you are interested in x86 exploit writing, the Corelan and Fuzzysec tutorials are your perfect starting point. In this tutorial series here, we will focus on assembly basics and exploit writing on ARM.

Don’t forget to follow Azeria on Twitter, or her RSS Feed.

Enjoy!

PS: She recently posted an really cool cheatsheet: Assembly Basics Cheatsheet. I’m going to use it to lobby (myself) for a pair of 32″ monitors so I can enlarge it on one screen and have a non-scrolling display. (Suggestions on the monitors?)

Encouraging CS Careers – Six Backdoors in Less Than an Hour!

Thursday, November 9th, 2017

Farmers Insurance for inspiration CS stories? If you doubt the answer is yes!, you haven’t read: “I HAD SIX BACKDOORS INTO THEIR NETWORK IN LESS THAN AN HOUR” by Jason Kersten.

From the post:

Hired hackers share real-world stories of breaking into computer systems (legally) through phishing scams and other high-tech mischief

It was a moment that would likely make any bank robber’s or computer hacker’s head spin: Joshua Crumbaugh talked his way behind the teller windows of a small bank in Maryland by posing as an IT technician working on the bank’s email system. As he installed malware designed to give him even more illegal access to the bank’s systems, he noticed the door to the vault was open. When no one was looking, he walked in. Piles of cash filled shelves, all within easy reach.

He turned around, held out his phone, and took a selfie. Later, he sent the picture to the bank’s CEO.

Fortunately, no crime had been committed. The CEO had hired Crumbaugh, a penetration tester (also known as a “pen tester”), to test the bank’s security. In his 10 years as a pen tester and CEO of PeopleSec, Crumbaugh has hacked everything from an NBA stadium to an oil rig. For the bank test, he identified the bank’s Internet Service Provider, called the bank pretending to be from the ISP’s customer service department, and set up a service appointment. “They were overly trusting,” says Crumbaugh, noting the bank’s own IT guy had also given him remote access to its systems without checking his credentials.

According to the 2016 State of Cybersecurity in Small & Medium-Sized Businesses report from the Ponemon Institute, a research center for global privacy, data and IT security issues, more than half of the 598 businesses surveyed had experienced a cyber attack in the prior year. A full half of respondents experienced data breaches involving customer and employee information. The companies surveyed spent an average of $900,000 cleaning up the mess, and many spent an additional $1 million to pay for disrupted workflow as a consequence of the security issues.

Teachers in middle or high school need only read the first story and allude to the others to have a diverse group of students clamoring to read the post.

There are boring CS careers where you squint at a lot of math but this article highlights more exciting life styles for those with CS training.

Here’s an inspiration picture to go with your pitch:

More details to go with the image: Inside the Secret Vault: $70 Billion in Gold.

Warn your students about the false claim that cybersecurity benefits everyone.

Correction: Cybersecurity benefits everyone who is happy with the current distribution of rewards and stripes.

People who are not happy with it, not so much.

Tanenbaum on Intel MINIX – Discourtesy is its Own Reward

Thursday, November 9th, 2017

Andrew S. Tanenbaum has posted An Open Letter to Intel on its incorporation of a modified version of MINIX into its chips.

Tanenbaum points out Intel’s conduct in this case is clearly covered by the Berkeley license of MINIX but he has a valid point that common courtesy dictates a personal note from Intel to Tanenbaum on the widespread deployment of MINIX would have been a nice touch.

In this case, discourtesy carried its own reward because Intel adapted an older version of MINIX to lie at the heart of its chips. A version perhaps not as robust and secure as a later version. A flaw that would have been discovered following a courteous note, which was never sent by Intel.

The mother lode of resources on earlier (and current) versions of MINIX is: http://www.minix3.org/.

How widely deployed is the Intel version of MINIX? Aditya Tiwari says:


After the release of MINIX 3, it is being developed as Microkernel OS. You can find MINIX 3 running inside every Intel-powered desktop, laptop or server launched after 2015. This surely gives it the title of the most used operating system in the world. Although, you don’t use it at all.
… (What Is MINIX? Is The World’s Most Used OS A Threat?)

I haven’t located a “chips shipped with MINIX” number so if you see one, ping me with the source.

Do be courteous, even if not required by license.

Otherwise, you may “pull an Intel” as this mistake will come to be known.

Metasploit for Machine Learning: Deep-Pwning

Thursday, November 9th, 2017

Metasploit for Machine Learning: Deep-Pwning

From the post:

Deep-pwning is a lightweight framework for experimenting with machine learning models with the goal of evaluating their robustness against a motivated adversary.

Note that deep-pwning in its current state is no where close to maturity or completion. It is meant to be experimented with, expanded upon, and extended by you. Only then can we help it truly become the goto penetration testing toolkit for statistical machine learning models.

Metasploit for Machine Learning: Background

Researchers have found that it is surprisingly trivial to trick a machine learning model (classifier, clusterer, regressor etc.) into making an objectively wrong decisions. This field of research is called Adversarial Machine Learning. It is not hyperbole to claim that any motivated attacker can bypass any machine learning system, given enough information and time. However, this issue is often overlooked when architects and engineers design and build machine learning systems. The consequences are worrying when these systems are put into use in critical scenarios, such as in the medical, transportation, financial, or security-related fields.

Hence, when one is evaluating the efficacy of applications using machine learning, their malleability in an adversarial setting should be measured alongside the system’s precision and recall.

(emphasis in original)

As motivation for a deep dive into machine learning, looming reliance on machine learning to compensate for a shortage of cybersecurity defender talent is hard to beat. (Why Machine Learning will Boost Cyber Security Defenses amid Talent Shortfall)

Reducing cybersecurity to the level of machine learning is nearly as inviting as use of an older, less secure version of MINIX by Intel. If you are going to take advantage of a Berkeley software license, at least get the best stuff. Yes?

Machine learning is of growing importance, but since classifiers can be fooled into identifying a 3-D turtle as a rifle, it hasn’t reached human levels of robustness.

Or to put that differently, when was the last time you identified a turtle as a rifle?

Turtle vs. rifle is a distinction few of us would miss in language, even without additional properties, as in a topic map. But thinking of their properties or characteristics, maybe a fruitful way to understand why they can be confused.

Or even planning for their confusion and communicating that plan to others.

Responding to Bricking to Promote Upgrading

Wednesday, November 8th, 2017

The chagrin of Harmony Link device (Logitech) owners over the bricking of their devices on March 16, 2018 is understandable. But isn’t the “bricking to promote upgrading” strategy described in Cimpanu‘s: Logitech Will Intentionally Brick All Harmony Link Devices Next Year a dangerous one?

Dangerous because the intentional bricking will highlight:

  1. If Harmony Link devices can be remotely bricked on March 16, 2018, they can be bricked at any time prior to March 16, 2018.
  2. If Harmony Link devices can be remotely bricked, local re-installation of earlier firmware will unbrick them. (Backup your firmware today.
  3. If all smart devices can be remotely bricked, …, you knew that but hadn’t considered it operationally. Makes you wonder about other “smart” devices by Logitech can be bricked.

I can’t second Cimpanu‘s suggestion that you run to the Federal Trade Commission (FTC).

First, it would take years and several presidents for “bricking to promote upgrading” rules to be written and with loopholes that favor industry.

Second, successful enforcement of an FTC rule is akin to where Dilbert says “then their lawyers chewed my clothes off.” A long and tedious process.

Logitech’s proposed action suggests one response to this ill-advised bricking strategy.

What if other “smart” Logitech devices began bricking themselves on March 17, 2018? How would Logitech investors react? Impact management/investor relations?

March 16, 2018, Harmony Link Bricking Day (as it will be known in the future) falls on a Friday. The next business day is Monday, March 19, 2018.

Will present Logitech management survive until March 21, 2018, or be pursuing new opportunities and interests?

Built-in Keylogger – Penetration Strategy?

Tuesday, November 7th, 2017

Built-in Keylogger Found in MantisTek GK2 Keyboards—Sends Data to China by Swati Khandelwal.

From the post:


The popular 104-key Mantistek GK2 Mechanical Gaming Keyboard that costs around €49.66 has allegedly been caught silently recording everything you type on your keyboard and sending them to a server maintained by the Alibaba Group.

Serious keylogging requires more stealth than Khandelwal reports but the idea is a good one.

When renting computers or a furnished office with computers, who is going to check all the systems for keyloggers?

Or if you sponsor a “contest” where the winner gets a new keyboard?

Or upgrades at a Fortune 100 or one of the top law firms includes new keyboards?

Or computers and keyboards are donated for use in public libraries?

Phishing is easier and cheaper than a built-in keylogger for a keyboard but don’t overlook hardware approaches for particularly tough cases.