As you may know, firewire devices can have access to the main memory of a PC thanks to DMA.
Because of this, firewire can be used as an attack vector against a running PC. This not news. Adam Boileau presented this technique back in 2006 but because of recent news, I decided to give it a go and see for myself how easy it is to exploit this attack vector:

Please note that this can also be used for good! Forensic investigators can use this technique to dump the memory of a running PC for investigation.

Some time since I posted here (work, travel. holiday and other excuses) but I hope to have a little more spare time in the future.
I woud like to use this post to raise some awareness on basic incident handling procedures. I learned some time ago at SANS that Incident Handling is a process which consists of the following steps:

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Special Actions for Responding to Different Types of Incidents
• Incident Record Keeping
• Incident Follow-Up

I am not going to explain each step of the process as this would take this article too far. I would just like to stress that there is more to it than just eradicating the problem.

The reason why I am stressing on this, is that in most cases, people who are infected with some kind of malware tend to think of only one thing: get the thing removed from their system and carry on. It is interesting to see that most people don’t really care what the purpose of the malware was! And some companies do so too.

Let’s say you were infected with some kind of banking trojan, wouldn’t you want to make sure that your bank account isn’t missing a few euros? And if it was a password stealing malware, wouldn’t it be a good idea to change that password you use at every site you visit?

I am not saying that you should start going through the complete incident handling process every time your non-IT savvy friend’s PCs are infected with the latest spyware but at least keep the incident handling process somewhere in the back of your mind. If it is only one kind of malware, investigate and inform your friend what the malware’s purpose was and what he or she should do with that information. If it is a whole zoo of malware living on your friend’s system, I would not only flatten & rebuild the system but would also give some generic advice on what he/she should do now after the mass infection. This would include basic housekeeping like change passwords, keep an eye on his accounts, etc. I also would give some advice on how to prevent infection in the future and explain how he/she might likely have been infected.

Off course, your non-savvy friend might not understand or even be frightened and you might think that their ignorance is your bliss but I am convinced that without spreading a little awareness, you are fighting a fire with a very limited supply of water.

While I was looking into writing my own gadget for Vista’s Sidebar to display my Google Reader news, it hit me that Gadgets are really simple web browser applications.

They consist of only 1 XML and 1 HTML file in general and can contain JavaScript, vbscript, wmi scripts,… (everything basically). This should make you think because XSS, XSRF and all kinds of web exploits can potentially work in your sidebar if the right precautions have not been made!

Vista’s UAC warns you when you install a gadget or when the gadget isn’t signed but how many users would click yes to install ‘that cool gadget which also happens to contain a little bit of malicious code’? Most likely all of them.

There are even more attack vectors for the Vista Gadget API and I found an interesting paper which discusses these and also shows which precautions Microsoft made: http://www.portcullis-security.com/uplds/Next_Generation_malware.pdf

It is not too long and goes not too deep but gives the reader enough info and links to investigate further if wanted. The portcullis-security.com website also has a nice download section which contains a lot of interesting tools.

Today, I decided to go with a new look for this website. It might still change a little bit in the next days.

With the application vulnerability threat landscape evolving more and more towards 3rd party application exploits (Flash, Adobe, Winamp,….) instead of the classic network worms based on Microsoft Windows exploits, it becomes more and more needed to keep this 3rd party software up to date as well.
In large managed environments this is done by a central system which updates the software on your PC to the latest (and secure) version as soon as the central administrator deploys it. It is the network administrator’s task to keep track of what software requires an update.
In small environments (or at home) where these kinds of systems are not in place, you have to do it for yourself! For Microsoft software, this is no problem as it is handled through Windows Update. But how do you know which of the software tools installed on your system urgently needs an update?
Well, F-Secure released a free online checkup tool which you can let loose on your system.
It reports for all software on your system whether it should be updated or if it is configured in an unsecure manner.
The tool itself runs only through an ActiveX control in Internet Explorer which is the only disadvantage of the tool. I would have preferred a stand-alone application but I am not going to look a gift horse in the mouth.

Microsoft just released their monthly patches.

It contains:

• one important patch (LSAS, local exploit)
  In my opinion, especially important for systems like terminal servers or shared multi-user systems.
• one highly critical patch (vulnerability in TCP/IP stack)

The reason why I am writing about this and put the TCP/IP vulnerability in bold is that this is one which goes against the trend. It is a remotely exploitable vulnerability on the network level. A crafted IGMP / ICMP message triggers the exploit. Even Vista is vulnerable out of the box (for the IGMP part, not for the ICMP part).While the trend is moving more and more to 3^rd party applications and no longer pure network worms, this is a vulnerability which is perfect to create a network worm. It can be mitigated by classic protections:

<quote from Microsoft>

Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. Perimeter firewalls that block multicast traffic (IGMPv3 and MLDv2 specifically) help protect internal network assets from this attack that originate outside of the enterprise perimeter.

</quote from Microsoft>

The point I am trying the make here is that although the trend is moving, it does not mean that classic best practices are no longer useful! Network vulnerabilities still exist, they just are less common than they used to be.

Another observation is that the past months, we have seen several vulnerabilities for MS Vista. Interesting enough Windows Vista was the first OS to be spawned from Microsoft’s Security Development Lifecycle, a process designed to produce more secure products. Although Microsoft is one of the ONLY software vendors who follows these strict security development and patching guidelines (not even security vendors like McAfee, Symantec,..do so !), it is not perfect yet. But at least, they are already on a good path.

MD5 hashes are no longer safe as a hash for signing applications or fingerprinting documents

Short summary of the paper:

It is possible (in a ‘chosen prefix attack scenario) to generate identical MD5 hash values for two functional different binaries.

This has been done before (in 2004) but the main difference here is that the altered binary is fully functional and can contain malicious code while in 2004 the modified file needed to contain the same binary code as the original one. In this attack scenario, the attacker only needs to calculate a few kbytes to prefix both executables which results in both files having the same MD5 hashing value. The only problem for the attacker is that the original file needs to be changed as well. It is still not possible to generate a binary for a given MD5 hash.

What does this mean?
Security software which checks the MD5 signature of an application/document to verify its integrity is no longer to be trusted to provide the correct results.

What about VPNs?
This does not mean that it is now possible to alter the integrity of a VPN connection. Simple reason for this is that in a VPN scenario, data flows continuously over the network and an MD5 hash is only valid for a matter of milliseconds (time the data needs to go from point A->B). It is currently not (yet) possible to alter data, calculate and update identical hashes on the fly. The researchers used a PlayStation 3 with its advanced cell processor to calculate collision hashes as fast as a 30 PC cluster but still it took hours or even days to perform the calculation. Time based security is what effectively protects a VPN in this scenario.

What integrity algorithm to use then?
SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 are still considered pretty safe and are mandatory in US federal organizations.However, SHA-1 has been reported broken back in 2005 and it was advised to move away from SHA-1 then as well.
Currently the NSA is considering candidates for the next generation hashing algorithm.

Will these kind of attacks actually be seen in the wild?
Most likely not. Simple things still work for the average attacker so there is no need for them in investing in this attack scenario. Especially not for infecting the general public and expanding current botnets.
For targeted attacks and corporate/international espionage scenarios, the story is different. There the attacker might go through the difficulties of this attack because the stakes are higher.

As of the beginning of this week, I migrated the mail for my domain to Google Apps for your domain.

Main reason is that Google rolled out IMAP(s) support for Gmail last week and that this was the one thing which I was missing in their (free) service. I don’t think I can do it better by myself in my free time (and for free) than they can.

Some interesting pointers for those of you who are thinking about migrating can be found here. For uploading my old 1.7 GB mailbox I used a ruby script (partially stolen from here but had to customize it big time). The upload is still running now but should be finished by the end of the night.

Last week I visited HACK.LU, a security conference in Luxemburg. Besides beers at the bar and talking to interesting people there were also very interesting presentations to attend.
Most of the presentations can be found here. I will do a quick overview of the presentations which I found interesting.

Hillar Leoste from shadowserver did a very good wrap up of current Botnet activity. I am also going to play around with nepenthes to set it up as a honeypot and do some malware analysis of my own. There were some other presentations about malware analysis as well.

The death of defense in depth? Revisiting AV software was a presentation given by two people from nruns. I learned that AV scanners themselves are not always examples of Secure Coding Practices and that many exploits are still to be found in those products. A fancy demo was one exploit for a virus scanner which worked on Windows XP, Windows 2003 and… Vista! They apparently found a way around the ASLR in Vista. It was also very cool to see how one could bypass almost all virusscanners by changing the magic byte of a zip file but still making it possible to unzip the file in winzip. This indeed bypasses all layered defenses but I still think that it is a bit early to cry that ‘Defense in Depth’ is death.

Lance Spitzner did a very good opening speech the second day on fast flux botnets. These are fast changing botnets which are almost impossible to track. Most of the command and control servers sponsored by the Russian Business Network.

Wifi Fuzzing, remote kernel exploitation was a nice presentation by three France Telecom Researchers. It focused mostly on driver exploits and AP fuzzing. Although driver exploits are old news (taking the Intel exploit at BlackHat last year into account), when you see it in action, it is scary! A sample exploit for madwifi showed a vulnerable PC sending only a couple of beacons for his network SSID and the PC was already p0wnd! Now you might think that this only affects linux PCs…think about what software runs underneath some access points…right Linux!

A funny presentation was about Injecting RDS-TMC Traffic Information Signals a.k.a. How to freak out your Satellite Navigation. This focused on how you could inject fake traffic messages into car sattelite navigation systems. In the demo shown, the GPS suddenly chooses a different route because the fake message stated that there was a closed road, traffic jam, air crash, terrorist attack or … bullfight Funny messages exist in TMC apparantly.

Nitesh Dhanjani did a very good wrap up of XSS attacks and showed how it could be useful to attackers in many ways (except for the usual <alert> demo).

From a CISSP perspective Cracking Windows Access Control was an insightful presentation and showed a practical example of how the failing of the Discretionary Access Control model currently implemented in windows can cause files of a higher level read a file of a lower integrity security level and thus compromising the security of the system. This was an example of how some the dry theory learnt during CISSP studies has a direct application in the real world.

There were many other interesting talks (RFID passports, metasm, new features in Core Impact, hacking captive portals, exploiting SAP, rootkits,…) but I suggest you look to the HACK.LU website for a full agenda.

To conclude I must say I learnt quite much from the three days in Luxemburg. It was a very interesting and also entertaining experience.

PS: If you go to one of these conferences…never open your laptop and trust what you send over the network. (unless you are the one performing the MITM attack)
I needed to change my google talk password because someone was doing a MITM attack and I had forgotten to disable my google talk (or redirect it through my SSL vpn).

UPDATE: I just learned that gtalk uses encryption! I went from the assumption that it was just plain text as most Instant Messengers but this does not seem to be the case. So my password change was not really necessary. Oh well, it does not hurt anyhow…

It seems that it is possible to listen to the signal of a fiber cable with a piece of hardware which costs less than $1000.

Organizations where eavesdropping of cables is not an acceptable risk and who have invested in fiber everywhere (instead of EM radiating copper cable) have to make sure that their cabling is physically protected, that encryption is used in every protocol sent over the cable and, if needed, implement a Fiber IDS system.