Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

February 1, 2018

NSA Exploits – Mining Malware – Ethics Question

Filed under: Cybersecurity,Ethics,Hacking,NSA,Security — Patrick Durusau @ 9:24 pm

New Monero mining malware infected 500K PCs by using 2 NSA exploits

From the post:

It looks like the craze of cryptocurrency mining is taking over the world by storm as every new day there is a new malware targeting unsuspecting users to use their computing power to mine cryptocurrency. Recently, the IT security researchers at Proofpoint have discovered a Monero mining malware that uses leaked NSA (National Security Agency) EternalBlue exploit to spread itself.

The post also mentions use of the NSA exploit, EsteemAudit.

A fair number of leads and worth your time to read in detail.

I suspect most of the data science ethics crowd will down vote the use of NSA exploits (EternalBlue, EsteemAudit) for cyrptocurrency mining.

Here’s a somewhat harder data science ethics question:

Is it ethical to infect 500,000+ Windows computers belonging to a government for the purpose of obtaining internal documents?

Does your answer depend upon which government and what documents?

Governments don’t take your rights into consideration. Should you take their laws into consideration?

January 31, 2018

AutoSploit

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 11:41 am

AutoSploit

From the webpage:

As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets are collected automatically as well by employing the Shodan.io API. The program allows the user to enter their platform specific search query such as; Apache, IIS, etc, upon which a list of candidates will be retrieved.

After this operation has been completed the ‘Exploit’ component of the program will go about the business of attempting to exploit these targets by running a series of Metasploit modules against them. Which Metasploit modules will be employed in this manner is determined by programatically comparing the name of the module to the initial search query. However, I have added functionality to run all available modules against the targets in a ‘Hail Mary’ type of attack as well.

The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured through the dialog that comes up before the ‘Exploit’ component is started.

Operational Security Consideration

Receiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.

What a great day to be alive!

“Security experts,” such as Richard Bejtlich, @taosecurity, are already crying:

There is no need to release this. The tie to Shodan puts it over the edge. There is no legitimate reason to put mass exploitation of public systems within the reach of script kiddies. Just because you can do something doesn’t make it wise to do so. This will end in tears.

The same “security experts” who never complain about script kiddies that work for the CIA for example.

Script kiddies at the CIA? Sure! Who do you think uses the tools described in: Vault7: CIA Hacking Tools Revealed, Vault 7: ExpressLane, Vault 7: Angelfire, Vault 7: Protego, Vault 8: Hive?

You didn’t think CIA staff only use tools they develop themselves from scratch did you? Neither do “security experts,” even ones capable of replicating well known tools and exploits.

So why the complaints present and forthcoming from “security experts?”

Well, for one thing, they are no longer special guardians of secret knowledge.

Ok, in practical economic terms, AutoSploit means any business, corporation or individual can run a robust penetration test against their own systems.

You don’t need a “security expert” for the task. The “security experts” with all the hoarded knowledge and expertise.

Considering “security experts” as a class (with notable exceptions) have sided with governments and corporations for decades, any downside for them is just an added bonus.

Don’t Mix Public and Dark Web Use of A Bitcoin Address

Filed under: Cybersecurity,Dark Web,Privacy,Security — Patrick Durusau @ 10:30 am

Bitcoin payments used to unmask dark web users by John E Dunn.

From the post:

Researchers have discovered a way of identifying those who bought or sold goods on the dark web, by forensically connecting them to Bitcoin transactions.

It sounds counter-intuitive. The dark web comprises thousands of hidden services accessed through an anonymity-protecting system, usually Tor.

Bitcoin transactions, meanwhile, are supposed to be pseudonymous, which is to say visible to everyone but not in a way that can easily be connected to someone’s identity.

If you believe that putting these two technologies together should result in perfect anonymity, you might want to read When A Small Leak Sinks A Great Ship to hear some bad news:

Researchers matched Bitcoin addresses found on the dark web with those found on the public web. Depending on the amount of information on the public web, identified named individuals.

Black Letter Rule: Maintain separate Bitcoin accounts for each online persona.

Black Letter Rule: Never use a public persona on the dark web or a dark web persona on the public web.

Black Letter Rule: Never make Bitcoin transactions between public versus dark web personas.

Remind yourself of basic OpSec rules every day.

January 30, 2018

Better OpSec – Black Hat Webcast – Thursday, February 15, 2018 – 2:00 PM EST

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:38 pm

How the Feds Caught Russian Mega-Carder Roman Seleznev by Norman Barbosa and Harold Chun.

From the webpage:

How did the Feds catch the notorious Russian computer hacker Roman Seleznev – the person responsible for over 400 point of sale hacks and at least $169 million in credit card fraud? What challenges did the government face piecing together the international trail of electronic evidence that he left? How was Seleznev located and ultimately arrested?

This presentation will review the investigation that will include a summary of the electronic evidence that was collected and the methods used to collect that evidence. The team that convicted Seleznev will show how that evidence of user attribution was used to finger Seleznev as the hacker and infamous credit card broker behind the online nics nCuX, Track2, Bulba and 2Pac.

The presentation will also discuss efforts to locate Seleznev, a Russian national, and apprehend him while he vacationed in the Maldives. The presentation will also cover the August 2016 federal jury trial with a focus on computer forensic issues, including how prosecutors used Microsoft Windows artifacts to successfully combat Seleznev’s trial defense.

If you want to improve your opsec, study hackers who have been caught.

Formally it’s called avoiding survivorship bias. Survivorship bias – lessons from World War Two aircraft by Nick Ingram.

Abraham Wald was tasked with deciding where to add extra armour to improve the survival of airplanes in combat. Abraham Wald and the Missing Bullet Holes (An excerpt from How Not To Be Wrong by Jordan Ellenberg).

It’s a great story and one you should remember.

Combating State of the Uniom Brain Damage – Malware Reversing – Burpsuite Keygen

Filed under: Cybersecurity,Hacking,Malware,Reverse Engineering — Patrick Durusau @ 5:43 pm

Malware Reversing – Burpsuite Keygen by @lkw.

From the post:

Some random new “user” called @the_heat_man posted some files on the forums multiple times (after being deleted by mods) caliming it was a keygen for burpsuite. Many members of these forums were suspicious of it being malware. I, along with @Leeky, @dtm, @Cry0l1t3 and @L0k1 (please let me know if I missed anyone) decided to reverse engineer it to see if it is. Surprisingly as well as containing a remote access trojan (RAT) it actually contains a working keygen. As such, for legal reasons I have not included a link to the original file.

The following is a writeup of the analysis of the RAT.

In the event you, friend or family member is accidentally exposed to the State of the Uniom speech night, permanent brain damage can be avoided by repeated exposure to intellectually challenging material. For an extended time period.

With that in mind, I mention Malware Reversing – Burpsuite Keygen.

Especially challenging if you aren’t familiar with reverse engineering but the extra work of understanding each step will exercise your brain that much harder.

How serious can the brain damage be?

A few tweets from Potus and multiple sources report Democratic Senators and Representatives extolling the FBI as a bulwark of democracy.

Really? The same FBI that infiltrated civil rights groups, anti-war protesters, 9/11 defense, Black Panthers, SCLC,, etc. That FBI? The same FBI that continues such activities to this very day?

A few tweets produce that level of brain dysfunction. Imagine the impact of 20 to 30 continuous minutes of exposure.

State of the Uniom is scheduled for 9 PM EST on 30 January 2018.

Readers are strongly advised to turn off all TVs and radios, to minimize the chances of accidental exposure to the State of the Uniom or repetition of the same. The New York Times will be streaming it live on its website. I have omitted that URL for your safety.

Safe activities include, reading a book, consensual sex, knitting, baking, board games and crossword puzzles, to name only a few. Best of luck to us all.

January 24, 2018

Eset’s Guide to DeObfuscating and DeVirtualizing FinFisher

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 5:38 pm

Eset’s Guide to DeObfuscating and DeVirtualizing FinFisher

From the introduction:

Thanks to its strong anti-analysis measures, the FinFisher spyware has gone largely unexplored. Despite being a prominent surveillance tool, only partial analyses have been published on its more recent samples.

Things were put in motion in the summer of 2017 with ESET’s analysis of FinFisher surveillance campaigns that ESET had discovered in several countries. In the course of our research, we have identified campaigns where internet service providers most probably played the key role in compromising the victims with FinFisher.

When we started thoroughly analyzing this malware, the main part of our effort was overcoming FinFisher’s anti-analysis measures in its Windows versions. The combination of advanced obfuscation techniques and proprietary virtualization makes FinFisher very hard to de-cloak.

To share what we learnt in de-cloaking this malware, we have created this guide to help others take a peek inside FinFisher and analyze it. Apart from offering practical insight into analyzing FinFisher’s virtual machine, the guide can also help readers to understand virtual machine protection in general – that is, proprietary virtual machines found inside a binary and used for software protection. We will not be discussing virtual machines used in interpreted programming languages to provide compatibility across various platforms, such as the Java VM.

We have also analyzed Android versions of FinFisher, whose protection mechanism is based on an open source LLVM obfuscator. It is not as sophisticated or interesting as the protection mechanism used in the Windows versions, thus we will not be discussing it in this guide.

Hopefully, experts from security researchers to malware analysts will make use of this guide to better understand FinFisher’s tools and tactics, and to protect their customers against this omnipotent security and privacy threat.

Beyond me at the moment but one should always try to learn from the very best. Making note of what can’t be understood/used today in hopes of revisiting it in the future.

Numerous reports describe FinFisher as spyware sold exclusively to governments and their agencies. Perhaps less “exclusively” than previously thought.

In any event, FinFisher is reported to be in the wild so perhaps governments that bought Finfisher will be uncovered by FinFisher.

A more deserving group of people is hard to imagine.

Games = Geeks, Geeks = People with Access (New Paths To Transparency)

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 3:01 pm

Critical Flaw in All Blizzard Games Could Let Hackers Hijack Millions of PCs by Mohit Kumar.

From the post:

A Google security researcher has discovered a severe vulnerability in Blizzard games that could allow remote attackers to run malicious code on gamers’ computers.

Played every month by half a billion users—World of Warcraft, Overwatch, Diablo III, Hearthstone and Starcraft II are popular online games created by Blizzard Entertainment.

To play Blizzard games online using web browsers, users need to install a game client application, called ‘Blizzard Update Agent,’ onto their systems that run JSON-RPC server over HTTP protocol on port 1120, and “accepts commands to install, uninstall, change settings, update and other maintenance related options.”
… (emphasis in original)

See Kumar’s post for the details on “DNS Rebinding.”

Unless you are running a bot net, why would anyone want to hijack millions of PCs?

If you wanted to rob for cash, would you rob people buying subway tokens or would you rob a bank? (That’s not a trick question. Bank is the correct answer.)

The same is true with creating government or corporate transparency. You could subvert every computer at a location but the smart money says to breach the server and collect all the documents from that central location.

How to breach servers? Target sysadmins, i.e., the people who play computer games.

PS: I would not be overly concerned with Blizzard’s reported development of patches. No doubt other holes exist or will be created by their patches.

January 23, 2018

Stop, Stop, Stop All the Patching, Give Intel Time to Breath

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:37 am

Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners by Navin Shenoy.

From the post:

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.

Based on this, we are updating our guidance for customers and partners:

  • We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
  • We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.
  • We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.

I apologize for any disruption this change in guidance may cause. The security of our products is critical for Intel, our customers and partners, and for me, personally. I assure you we are working around the clock to ensure we are addressing these issues.

I will keep you updated as we learn more and thank you for your patience.

Essence of Shenoy’s advice:

…OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior.

Or better:

Patching an Intel machine makes it worse.

That’s hardly news.

Unverifiable firmware/code + unverifiable patch = unverifiable firmware/code + patch. What part of that seems unclear?

January 22, 2018

WebGoat (Advantage over OPM)

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 9:41 pm

Deliberately Insecure Web Application: OWASP WebGoat

From the webpage:

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE or WebGoat for .Net in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications.

WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. Once deployed, the user can go through the lessons and track their progress with the scorecard.

WebGoat’s scorecards are a feature not found when hacking Office of Personnel Management (OPM). Hacks of the OPM are reported by its inspector general and more generally in the computer security press.

EFF Investigates Dark Caracal (But Why?)

Filed under: Cybersecurity,Electronic Frontier Foundation,Government,Privacy,Security — Patrick Durusau @ 9:19 pm

Someone is touting a mobile, PC spyware platform called Dark Caracal to governments by Iain Thomson.

From the post:

An investigation by the Electronic Frontier Foundation and security biz Lookout has uncovered Dark Caracal, a surveillance-toolkit-for-hire that has been used to suck huge amounts of data from Android mobiles and Windows desktop PCs around the world.

Dark Caracal [PDF] appears to be controlled from the Lebanon General Directorate of General Security in Beirut – an intelligence agency – and has slurped hundreds of gigabytes of information from devices. It shares its backend infrastructure with another state-sponsored surveillance campaign, Operation Manul, which the EFF claims was operated by the Kazakhstan government last year.

Crucially, it appears someone is renting out the Dark Caracal spyware platform to nation-state snoops.

The EFF could be spending its time and resources duplicating Dark Caracal for the average citizen.

Instead the EFF continues its quixotic pursuit of governmental wrong-doers. I say “quixotic” because those pilloried by the EFF, such as the NSA, never change their behavior. Unlawful conduct, including surveillance continues.

But don’t take my word for it, the NSA admits that it deletes data it promised under court order to preserve: NSA deleted surveillance data it pledged to preserve. No consequences. Just like there were no consequences when Snowden revealed widespread and illegal surveillance by the NSA.

So you have to wonder, if investigating and suing governmental intelligence organizations produces no tangible results, why is the EFF pursuing them?

If the average citizen had the equivalent of Dark Caracal at their disposal, say as desktop software, the ability of governments like Lebanon, Kazakhstan, and others, to hide their crimes, would be greatly reduced.

Exposure is no guarantee of accountability and/or punishment, but the wack-a-mole strategy of the EFF hasn’t produced transparency or consequences.

January 21, 2018

A “no one saw” It Coming Memory Hack (Schneider Electric)

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 8:13 pm

Schneider Electric: TRITON/TRISIS Attack Used 0-Day Flaw in its Safety Controller System, and a RAT by Kelly Jackson Higgins.

Industrial control systems giant Schneider Electric discovered a zero-day privilege-escalation vulnerability in its Triconex Tricon safety-controller firmware which helped allow sophisticated hackers to wrest control of the emergency shutdown system in a targeted attack on one of its customers.

Researchers at Schneider also found a remote access Trojan (RAT) in the so-called TRITON/TRISIS malware that they say represents the first-ever RAT to infect safety-instrumented systems (SIS) equipment. Industrial sites such as oil and gas and water utilities typically run multiple SISes to independently monitor critical systems to ensure they are operating within acceptable safety thresholds, and when they are not, the SIS automatically shuts them down.

Schneider here today provided the first details of its investigation of the recently revealed TRITON/TRISIS attack that targeted a specific SIS used by one of its industrial customers. Two of the customer’s SIS controllers entered a failed safe mode that shut down the industrial process and ultimately led to the discovery of the malware.

Teams of researchers from Dragos and FireEye’s Mandiant last month each published their own analysis of the malware used in the attack, noting that the smoking gun – a payload that would execute a cyber-physical attack – had not been found.

Perhaps the most amusing part of the post is Schneider’s attribution of near super-human capabilities to the hackers:


Schneider’s controller is based on proprietary hardware that runs on a PowerPC processor. “We run our own proprietary operating system on top of that, and that OS is not known to the public. So the research required to pull this [attack] off was substantial,” including reverse-engineering it, Forney says. “This bears resemblance to a nation-state, someone who was highly financed.”

The attackers also had knowledge of Schneider’s proprietary protocol for Tricon, which also is undocumented publicly, and used it to create their own library for sending commands to interact with Tricon, he says.

Alternatives to a nation-state:

  • 15 year old working with junked Schneider hardware and the Schneider help desk
  • Disgruntled Schneider Electric employee or their children
  • Malware planted to force a quick and insecure patch being pushed out

I discount all the security chest beating by vendors. Their goal: continued use of their products.

Are your Schneider controllers are air-gapped and audited?

Bludgeoning Bootloader Bugs:… (Rebecca “.bx” Shapiro – job hunting)

Filed under: Cybersecurity,Security — Patrick Durusau @ 5:20 pm

Bludgeoning Bootloader Bugs: No write left behind by Rebecca “.bx” Shapiro.

Slides from ShmooCon 2018.

If you are new to bootloading, consider Shapiro’s two blog post on the topic:

A History of Linux Kernel Module Signing

A Toure of Bootloading

both from 2015, and her resources page.

Aside from the slides, her most current work is found at: https://github.com/bx/bootloader_instrumentation_suite.

ShmooCon 2018 just finished earlier today but check for the ShmooCon archives to see a video of Sharpio’s presentation.

I don’t normally post shout-outs for people seeking employment but Shario does impressive work and she is sharing it with the broader community. Unlike some governments and corporations we could all name. Pass her name and details along.

Are You Smarter Than A 15 Year Old?

Filed under: Cybersecurity,Government,Hacking,Politics,Security — Patrick Durusau @ 1:27 pm

15-Year-Old Schoolboy Posed as CIA Chief to Hack Highly Sensitive Information by Mohit Kumar.

From the post:

A notorious pro-Palestinian hacking group behind a series of embarrassing hacks against United States intelligence officials and leaked the personal details of 20,000 FBI agents, 9,000 Department of Homeland Security officers, and some number of DoJ staffers in 2015.

Believe or not, the leader of this hacking group was just 15-years-old when he used “social engineering” to impersonate CIA director and unauthorisedly access highly sensitive information from his Leicestershire home, revealed during a court hearing on Tuesday.

Kane Gamble, now 18-year-old, the British teenager hacker targeted then CIA director John Brennan, Director of National Intelligence James Clapper, Secretary of Homeland Security Jeh Johnson, FBI deputy director Mark Giuliano, as well as other senior FBI figures.

Between June 2015 and February 2016, Gamble posed as Brennan and tricked call centre and helpline staff into giving away broadband and cable passwords, using which the team also gained access to plans for intelligence operations in Afghanistan and Iran.

Gamble said he targeted the US government because he was “getting more and more annoyed about how corrupt and cold-blooded the US Government” was and “decided to do something about it.”

Your questions:

1. Are You Smarter Than A 15 Year Old?

2. Are You Annoyed by a Corrupt and Cold-blooded Government?

3. Have You Decided to do Something about It?

Yeses for #1 and #2 number in the hundreds of millions.

The lack of governments hemorrhaging data worldwide is silent proof that #3 is a very small number.

What’s your answer to #3? (Don’t post it in the comments.)

January 18, 2018

What Can Reverse Engineering Do For You?

Filed under: Cybersecurity,Reverse Engineering,Security — Patrick Durusau @ 9:18 pm

From the description:

Reverse engineering is a core skill in the information security space, but it doesn’t necessarily get the wide spread exposure that other skills do even though it can help you with your security challenges. We will talk about getting you quickly up and running with a reverse engineering starter pack and explore some interesting x86 assembly code patterns you may encounter in the wild. These patterns are essentially common malware evasion techniques that include packing, analysis evasion, shellcode execution, and crypto usages. It is not always easy recognizing when a technique is used. This talk will begin by defining the each technique as a pattern and then the approaches for reading or bypassing the evasion.

Technical keynote at Shellcon 2017 by Amanda Rousseau (@malwareunicorn).

Even if you’re not interested in reverse engineering, watch the video to see a true master describing their craft.

The “patterns” she speaks of are what I would call “subject identity” in a topic maps context.

January 16, 2018

Tips for Entering the Penetration Testing Field

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:29 pm

Tips for Entering the Penetration Testing Field by Ed Skoudis.

From the post:

It’s an exciting time to be a professional penetration tester. As malicious computer attackers amp up the number and magnitude of their breaches, the information security industry needs an enormous amount of help in proactively finding and resolving vulnerabilities. Penetration testers who are able to identify flaws, understand them, and demonstrate their business impact through careful exploitation are an important piece of the defensive puzzle.

In the courses I teach on penetration testing, I’m frequently asked about how someone can land their first job in the field after they’ve acquired the appropriate technical skills and gained a good understanding of methodologies. Also, over the past decade, I’ve counseled a lot of my friends and acquaintances as they’ve moved into various penetration testing jobs. Although there are many different paths to pen test nirvana, let’s zoom into three of the most promising. It’s worth noting that these three paths aren’t mutually exclusive either. I know many people who started on the first path, jumped to the second mid-way, and later found themselves on path #3. Or, you can jumble them up in arbitrary order.

Career advice and a great listing of resources for any aspiring penetration “tester.”

If you do penetration work for a government, you may be a national hero. If you do commercial penetration testing, not a national hero but not on the run either. If you do non-sanctioned penetration work, life is uncertain. Same skill, same activity. Go figure.

Updated Hacking Challenge Site Links (Signatures as Subject Identifiers)

Filed under: CTF,Cybersecurity,Hacking — Patrick Durusau @ 7:14 pm

Updated Hacking Challenge Site Links

From the post:

These are 70+ sites which offer free challenges for hackers to practice their skills. Some are web-based challenges, some require VPN access to private labs and some are downloadable ISOs and VMs. I’ve tested the links at the time of this posting and they work.

Most of them are at https://www.wechall.net but if I missed a few they will be there.

WeChall is a portal to hacking challenges where you can link your account to all the sites and get ranked. I’ve been a member since 2/2/14.

Internally to the site they have challenges there as well so make sure you check them out!

To find CTFs go to https://www.ctftime.org

On Twitter in the search field type CTF

Google is also your friend.

I’d rephrase “Google is also your friend.” to “Sometimes Google allows you to find ….”

When visiting hacker or CTF (capture the flag) sites, use the same levels of security as any government or other known hostile site.

What is an exploit or vulnerability signature if not a subject identifier?

January 11, 2018

Introduction to reverse engineering and Assembly (Suicidal Bricking by Ubuntu Servers)

Filed under: Assembly,Cybersecurity,Reverse Engineering,Security — Patrick Durusau @ 4:05 pm

Introduction to reverse engineering and Assembly by Youness Alaoui.

From the post:

Recently, I’ve finished reverse engineering the Intel FSP-S “entry” code, that is from the entry point (FspSiliconInit) all the way to the end of the function and all the subfunctions that it calls. This is only some initial foray into reverse engineering the FSP as a whole, but reverse engineering is something that takes a lot of time and effort. Today’s blog post is here to illustrate that, and to lay the foundations for understanding what I’ve done with the FSP code (in a future blog post).

Over the years, many people asked me to teach them what I do, or to explain to them how to reverse engineer assembly code in general. Sometimes I hear the infamous “How hard can it be?” catchphrase. Last week someone I was discussing with thought that the assembly language is just like a regular programming language, but in binary form—it’s easy to make that mistake if you’ve never seen what assembly is or looks like. Historically, I’ve always said that reverse engineering and ASM is “too complicated to explain” or that “If you need help to get started, then you won’t be able to finish it on your own” and various other vague responses—I often wanted to explain to others why I said things like that but I never found a way to do it. You see, when something is complex, it’s easy to say that it’s complex, but it’s much harder to explain to people why it’s complex.

I was lucky to recently stumble onto a little function while reverse engineering the Intel FSP, a function that was both simple and complex, where figuring out what it does was an interesting challenge that I can easily walk you through. This function wasn’t a difficult thing to understand, and by far, it’s not one of the hard or complex things to reverse engineer, but this one is “small and complex enough” that it’s a perfect example to explain, without writing an entire book or getting into the more complex aspects of reverse engineering. So today’s post serves as a “primer” guide to reverse engineering for all of those interested in the subject. It is a required read in order to understand the next blog posts I would be writing about the Intel FSP. Ready? Strap on your geek helmet and let’s get started!
… (emphasis in original)

Intel? Intel? I heard something recently about Intel chips. You? 😉

No, this won’t help you specifically with Spectre and Meltdown, but it’s a step in the direction of building such skills.

The Project Zero team at Google did not begin life with the skills necessary to discover Spectre and Meltdown.

It took 20 years for those vulnerabilities to be discovered.

What vulnerabilities await discovery by you?

PS: Word on the street is that Ubuntu 16.04 servers are committing suicide rather than run more slowly with patches for Meltdown and Spectre. Meltdown and Spectre Patches Bricking Ubuntu 16.04 Computers. The attribution of intention to Ubuntu servers may be a bit overdone but the bricking part is true.

January 10, 2018

Tails With Meltdown and Spectre Fixes w/ Caveats

Filed under: Cybersecurity,Security,Tails — Patrick Durusau @ 4:59 pm

Tails 3.4 is out

From the post:


In particular, Tails 3.4 fixes the widely reported Meltdown attack, and includes the partial mitigation for Spectre.

Timely security patches are always good news.

Three caveats:

1. Meltdown and Spectre patches originate in the same community that missed these vulnerabilities for twenty-odd years. How confident are you in these patches?

2. Meltdown and Spectre are more evidence for the existence of other fundamental design flaws than we have for life on other planets.

3. When did the NSA become aware of Meltdown and Spectre?

January 8, 2018

Are LaTeX Users Script Kiddies?

Filed under: Cybersecurity,Security,TeX/LaTeX — Patrick Durusau @ 5:15 pm

NO! Despite most LaTeX users not writing their own LaTeX engines or many of the packages they use, they are not script kiddies.

LaTeX users are experts in mathematics, statistics and probability, physics, computer science, astronomy and astrophysics, (François Brischoux and Pierre Legagneux 2009), as well as being skilled LaTeX authors.

There’s no shame in using LaTeX, despite not implementing a LaTeX engine. LaTeX makes high quality typesetting available to hundreds of thousands of users around the globe.

Contrast that view of LaTeX with making use of cyber vulnerabilities more widely available, which is dismissed as empowering “script kiddies.”

Every cyber vulnerability is a step towards transparency. Government and corporations fear cyber vulnerabilities, fearing their use will uncover evidence of their crimes and favoritism.

Fearing public exposure, it’s no surprise that governments prohibit the use of cyber vulnerabilities. Governments that also finance and support rape, torture, murder, etc., in pursuit of national policy.

The question for you is:

Do you want to assist such governments and corporations to continue hiding their secrets?

Your answer to that question should determine your position on the discovery, use and spread of cyber vulnerabilities.

Bait Avoidance, Congress, Kaspersky Lab

Filed under: Cybersecurity,Government,Politics,Security — Patrick Durusau @ 2:56 pm

Should you use that USB key you found? by Jeffrey Esposito.

Here is a scenario for you: You are walking around, catching Pokémon, getting fresh air, people-watching, taking Fido out to do his business, when something catches your eye. It’s a USB stick, and it’s just sitting there in the middle of the sidewalk.

Jackpot! Christmas morning! (A very small) lottery win! So, now the question is, what is on the device? Spring Break photos? Evil plans to rule the world? Some college kid’s homework? You can’t know unless…

Esposito details an experiement leaving USB keys about at University of Illinois resulted in 48% of them being plugged into computers.

Reports like this from Kaspersky Lab, given the interest in Kaspersky by Congress, could lead to what the pest control industry calls “bait avoidance.”

Imagine members of Congress or their staffs not stuffing random USB keys into their computers. This warning from Kaspersky could poison the well for everyone.

For what it’s worth, salting the halls and offices of Congress with new release music and movies on USB keys, may help develop and maintain insecure USB practices. Countering bait avoidance is everyone’s responsibility.

January 5, 2018

…Anyone With Less Technical Knowledge…

Filed under: Cybersecurity,Security — Patrick Durusau @ 5:17 pm

The headline came from Critical “Same Origin Policy” Bypass Flaw Found in Samsung Android Browser by Mohit Kumar, the last paragraph which reads:


Since the Metasploit exploit code for the SOP bypass vulnerability in the Samsung Internet Browser is now publicly available, anyone with less technical knowledge can use and exploit the flaw on a large number of Samsung devices, most of which are still using the old Android Stock browser.
… (emphasis added)

Kumar tosses off the … anyone with less technical knowledge … line like that’s a bad thing.

I wonder if Kumar can:

  1. Design and create a CPU chip?
  2. Design and create a memory chip?
  3. Design and create from scratch a digital computer?
  4. Design and implement an operating system?
  5. Design and create a programming language?
  6. Design and create a compiler for creation of binaries?
  7. Design and create the application he now uses for editing?

I’m guessing that Kumar strikes out on one or more of those questions, making him one of those anyone with less technical knowledge types.

I don’t doubt Kumar has a wide range of deep technical skills but lacking some particular technical skill doesn’t diminish your value as a person or even as a technical geek.

Moreover, security failures should be made as easy to use as possible.

No corporation or government is going to voluntarily engage in behavior changing transparency. The NSA was outed for illegal surveillance, Congress then passes a law making that illegal surveillance retroactively legal and when that authorization expired, the NSA continued its originally illegal surveillance.

Every security vulnerability is one potential step towards behavior changing transparency. People with “…less technical knowledge…” aren’t going to find those but with assistance, they can make the best use of the ones that are found.

Security researchers should take pride in their work. But there’s no reflected glory in dissing people who are good at other things.

Transparency, behavior changing transparency, will only result from discovery and widespread use of security flaws. (Voluntary transparency being a contradiction in terms.)

January 4, 2018

So You Want to Play God? Intel Delivers – FUCKWIT Inside

Filed under: Cybersecurity,Security — Patrick Durusau @ 2:16 pm

Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign by John Leyden and Chris Williams.

From the post:


It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas.

The fix is to separate the kernel’s memory completely from user processes using what’s called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers.

Think of the kernel as God sitting on a cloud, looking down on Earth. It’s there, and no normal being can see it, yet they can pray to it.

Patches are forthcoming, to make your Intel machine 5% to 30% slower.

Cloud providers are upgrading but there’s a decade of Intel chips not in the cloud that await exploitation.

Show of hands. How many of you will slow your machines down by 5% to 30% to defeat this bug?

Next question: How long will it take to cycle out of service the most recent decade of Intel chips?

You’ll have to make your own sticker for your laptop/desktop/server:

BTW, for FUCKWIT and another deep chip flaw, see: Researchers Discover Two Major Flaws in the World’s Computers.

These fundamental flaws should alter your cybersecurity conversations. But will they?

December 27, 2017

The Coolest Hacks of 2017 [Inspirational Reading for 2018]

Filed under: Cybersecurity,Security — Patrick Durusau @ 3:36 pm

The Coolest Hacks of 2017 by Kelly Jackson Higgins.

From the post:

You’d think by now with the pervasiveness of inherently insecure Internet of Things things that creative hacking would be a thing of the past for security researchers. It’s gotten too easy to find security holes and ways to abuse IoT devices; they’re such easy marks.

But our annual look at the coolest hacks we covered this year on Dark Reading shows that, alas, innovation is not dead. Security researchers found intriguing and scary security flaws that can be abused to bend the will of everything from robots to voting machines, and even the wind. They weaponized seemingly benign systems such as back-end servers and machine learning tools in 2017, exposing a potential dark side to these systems.

So grab a cold one from your WiFi-connected smart fridge and take a look at seven of the coolest hacks of the year.

“Dark side” language brings a sense of intrigue and naughtiness. But the “dark side(s)” of any system is just a side that meets different requirements. Such as access without authorization. May not be your requirement but it may be mine, or your government’s.

Let’s drop the dodging and posing as though there is a common interest in cybersecurity. There is no such common interest nor has there even been one. Governments want backdoors, privacy advocates, black marketeers and spies want none. Users want effortless security, while security experts know security ads are just short of actionable fraud.

Cybersecurity marketeers may resist but detail your specific requirements. In writing and appended to your contract.

From the Valley of Disinformation Rode the 770 – Opportunity Knocks

Filed under: Cybersecurity,Environment,Government,Government Data,Journalism,Reporting — Patrick Durusau @ 10:32 am

More than 700 employees have left the EPA since Scott Pruitt took over by Natasha Geiling.

From the post:

Since Environmental Protection Agency Administrator Scott Pruitt took over the top job at the agency in March, more than 700 employees have either retired, taken voluntary buyouts, or quit, signaling the second-highest exodus of employees from the agency in nearly a decade.

According to agency documents and federal employment statistics, 770 EPA employees departed the agency between April and December, leaving employment levels close to Reagan-era levels of staffing. According to the EPA’s contingency shutdown plan for December, the agency currently has 14,449 employees on board — a marked change from the April contingency plan, which showed a staff of 15,219.

These departures offer journalists a rare opportunity to bleed the government like a stuck pig. From untimely remission of login credentials to acceptance of spear phishing emails, opportunities abound.

Not for “reach it to me” journalists who use sources as shields from potential criminal liability. While their colleagues are imprisoned for the simple act of publication or murdered (as of today in 2017, 42).

Governments have not, are not and will not act in the public interest. Laws that criminalize acquisition of data or documents are a continuation of their failure to act in the public interest.

Journalists who serve the public interest, by exposing the government’s failure to do so, should use any means at their disposal to obtain data and documents that evidence government failure and misconduct.

Are you a journalist serving the public interest or a “reach it to me” journalist, serving the public interest when there’s no threat to you?

December 24, 2017

Ichano AtHome IP Cameras – Free Vulnerabilities from Amazon

Filed under: Cybersecurity,Security — Patrick Durusau @ 5:36 pm

SSD Advisory – Ichano AtHome IP Cameras Multiple Vulnerabilities

Catalin Cimpanu @campuscodi pointed to these free vulnerabilities:

AtHome Camera is “a remote video surveillance app which turns your personal computer, smart TV/set-top box, smart phone, and tablet into a professional video monitoring system in a minute.”

The vulnerabilities found are:

  • Hard-coded username and password – telnet
  • Hard-coded username and password – Web server
  • Unauthenticated Remote Code Execution

Did you know the AtHome Camera – Remote video surveillance, Home security, Monitoring, IP Camera by iChano is a free download at Amazon?

That’s right! You can get all three of these vulnerabilities for free! Ranked “#270 in Apps & Games > Utilities,” as of 24 December 2017.

Sleuth Kit – Checking Your Footprints (if any)

Filed under: Cybersecurity,Security — Patrick Durusau @ 3:39 pm

Open Source File System Digital Forensics: The Sleuth Kit

From the webpage:

The Sleuth Kit is an open source forensic toolkit for analyzing Microsoft and UNIX file systems and disks. The Sleuth Kit enables investigators to identify and recover evidence from images acquired during incident response or from live systems. The Sleuth Kit is open source, which allows investigators to verify the actions of the tool or customize it to specific needs.

The Sleuth Kit uses code from the file system analysis tools of The Coroner’s Toolkit (TCT) by Wietse Venema and Dan Farmer. The TCT code was modified for platform independence. In addition, support was added for the NTFS and FAT file systems. Previously, The Sleuth Kit was called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independent of any commercial or academic organizations.

It is recommended that these command line tools can be used with the Autopsy Forensic Browser. Autopsy is a graphical interface to the tools of The Sleuth Kit and automates many of the procedures and provides features such as image searching and MD5 image integrity checks.

As with any investigation tool, any results found with The Sleuth Kit should be be recreated with a second tool to verify the data.

The Sleuth Kit allows one to analyze a disk or file system image created by ‘dd’, or a similar application that creates a raw image. These tools are low-level and each performs a single task. When used together, they can perform a full analysis.

Question: Who should find your foot prints first? You or someone investigating an incident?

Test your penetration techniques for foot prints before someone else does. Yes?

BTW, pick up a copy of the Autopsy Forensic Browser.

December 21, 2017

SMB – 1 billion vulnerable machines

Filed under: Cybersecurity,Microsoft,Security — Patrick Durusau @ 8:10 pm

An Introduction to SMB for Network Security Analysts by Nate “Doomsday” Marx.

Of all the common protocols a new analyst encounters, perhaps none is quite as impenetrable as Server Message Block (SMB). Its enormous size, sparse documentation, and wide variety of uses can make it one of the most intimidating protocols for junior analysts to learn. But SMB is vitally important: lateral movement in Windows Active Directory environments can be the difference between a minor and a catastrophic breach, and almost all publicly available techniques for this movement involve SMB in some way. While there are numerous guides to certain aspects of SMB available, I found a dearth of material that was accessible, thorough, and targeted towards network analysis. The goal of this guide is to explain this confusing protocol in a way that helps new analysts immediately start threat hunting with it in their networks, ignoring the irrelevant minutiae that seem to form the core of most SMB primers and focusing instead on the kinds of threats an analyst is most likely to see. This guide necessarily sacrifices completeness for accessibility: further in-depth reading is provided in footnotes. There are numerous simplifications throughout to make the basic operation of the protocol more clear; the fact that they are simplifications will not always be highlighted. Lastly, since this guide is an attempt to explain the SMB protocol from a network perspective, the discussion of host based information (windows logs, for example) has been omitted.

It never occurred to me that NTLM, introduced with Windows NT in 1993, is still supported in the latest version of Windows.

That means a deep knowledge of SMB pushes systems vulnerable to you almost north of 1 billion.

How’s that for a line in your CV?

Keeper Security – Beyond Boo-Hooing Over Security Bullies

Filed under: Cybersecurity,Free Speech,Security — Patrick Durusau @ 8:06 pm

Security firm Keeper sues news reporter over vulnerability story by Zack Whittaker.

From the post:

Keeper, a password manager software maker, has filed a lawsuit against a news reporter and its publication after a story was posted reporting a vulnerability disclosure.

Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of “false and misleading statements” about the company’s password manager.

Goodin’s story, posted December 15, cited Google security researcher Tavis Ormandy, who said in a vulnerability disclosure report he posted a day earlier that a security flaw in Keeper allowed “any website to steal any password” through the password manager’s browser extension.

Goodin was one of the first to cover news of the vulnerability disclosure. He wrote that the password manager was bundled in some versions of Windows 10. When Ormandy tested the bundled password manager, he found a password stealing bug that was nearly identical to one he previously discovered in 2016.

Ormandy also posted a proof-of-concept exploit for the new vulnerability.

I’ll spare you the boo-hooing over Keeper Security‘s attempt to bully Dan Goodin and Ars Technica.

Social media criticism is like the vice-presidency, it’s not worth a warm bucket of piss.

What the hand-wringers over the bullying of Dan Goodin and Ars Technica fail to mention is your ability to no longer use Keeper Security. Not a word.

In The Best Password Managers of 2018, I see ten (10) top password managers, three of which are rated as equal to or better than Keeper Security.

Sadly I don’t use Keeper Security so I can’t send tweet #1: I refuse to use/renew Keeper Security until it abandons persecution of @dangoodin001 and @arstechnica, plus pays their legal fees.

I’m left with tweet #2: I refuse to consider using Keeper Security until it abandons persecution of @dangoodin001 and @arstechnica, plus pays their legal fees.

Choose tweet 1 or 2, ask your friends to take action, and to retweet.

Weird machines, exploitability, and provable unexploitability

Filed under: Computer Science,Cybersecurity,Security,Vocabularies — Patrick Durusau @ 7:54 pm

Weird machines, exploitability, and provable unexploitability by Thomas Dullien (IEEE pre-print, to appear IEEE Transactions on Emerging Topics in Computing)

Abstract:

The concept of exploit is central to computer security, particularly in the context of memory corruptions. Yet, in spite of the centrality of the concept and voluminous descriptions of various exploitation techniques or countermeasures, a good theoretical framework for describing and reasoning about exploitation has not yet been put forward.

A body of concepts and folk theorems exists in the community of exploitation practitioners; unfortunately, these concepts are rarely written down or made sufficiently precise for people outside of this community to benefit from them.

This paper clarifies a number of these concepts, provides a clear definition of exploit, a clear definition of the concept of a weird machine, and how programming of a weird machine leads to exploitation. The papers also shows, somewhat counterintuitively, that it is feasible to design some software in a way that even powerful attackers – with the ability to corrupt memory once – cannot gain an advantage.

The approach in this paper is focused on memory corruptions. While it can be applied to many security vulnerabilities introduced by other programming mistakes, it does not address side channel attacks, protocol weaknesses, or security problems that are present by design.

A common vocabulary to bridge the gap between ‘Exploit practitioners’ (EPs) and academic researchers. Whether it will in fact bridge that gap remains to be seen. Even the attempt will prove to be useful.

Tracing the use/propagation of Dullien’s vocabulary across Google’s Project Zero reports and papers would provide a unique data set on the spread (or not) of a new vocabulary in computer science.

Not to mention being a way to map back into earlier literature with the newer vocabulary, via a topic map.

BTW, Dullien’s statement “is is feasible to design some software in a way that even powerful attackers … cannot gain an advantage,” is speculation and should not dampen your holiday spirits. (I root for the hare and not the hounds as a rule.)

December 20, 2017

Violating TCP

Filed under: Cybersecurity,Networks — Patrick Durusau @ 8:18 pm

This is strictly a violation of the TCP specification by Marek Majkowski.

From the post:

I was asked to debug another weird issue on our network. Apparently every now and then a connection going through CloudFlare would time out with 522 HTTP error.

522 error on CloudFlare indicates a connection issue between our edge server and the origin server. Most often the blame is on the origin server side – the origin server is slow, offline or encountering high packet loss. Less often the problem is on our side.

In the case I was debugging it was neither. The internet connectivity between CloudFlare and origin was perfect. No packet loss, flat latency. So why did we see a 522 error?

The root cause of this issue was pretty complex. After a lot of debugging we identified an important symptom: sometimes, once in thousands of runs, our test program failed to establish a connection between two daemons on the same machine. To be precise, an NGINX instance was trying to establish a TCP connection to our internal acceleration service on localhost. This failed with a timeout error.

It’s unlikely that you will encounter this issue but Majkowski’s debugging of it is a great story.

It also illustrates how deep the foundations of an error, bug or vulnerability may lie.

« Newer PostsOlder Posts »

Powered by WordPress