Thursday, 8 February 2007

RSA Conference 2007

This year RSA Conference isn't as good as expected. I can't notice any difference between last year products and this year ones. It's just as if the market stoped last year and the innovation was wandering without any proper route. Nowadays everybody talks about NAC, but also last year!! Big vendors as Cisco, Juniper, RSA, Verisign, Microsoft, IBM, CA, etc only speak about the same subjects: some kind of NAC, log management, two/three factor authentication and old IDS/IPS style appliances.

I've been reviewing all the booths and I haven't been able to locate any innovation. Just some little booths were they were managing other important issues like malware real detection/protection (and not anti-virus stuff), date leakage or some idea trying to bind the technical facts to the risk analysis field (and not looking only at the firewalls ruleset!!!)

What happens with VoIP, smartphones, online fraud, botnets, etc that are targetting all the users? I guess that they don't care.

Anyway, conferences such as RSA are soooo different to, for instance, BlackHat. The more I attend any of those, the more I think that there are two different mainstreams when talking about information security. One is the 'enterprise' feeling of security, and the other the daily security threats that we face up as normal users.

Sunday, 28 January 2007

Analyzing malware inside Parallels

The nifty thing about using Parallels for analyzing malware code is that I haven't seen yet any sample that can detect that you are using Parallels. It is clear that it is only a matter of time, but it is something interesting. For example, when using the SIDT instruction, they always look for Vmware. Vmware usually returns '0xFFxxxxxx' when asking for its IDTR address, and just by comparing the first byte you can already know if you are inside Matrix or not.

But in Parallels, it returns the same address as in a real Windows host. I switched to Parallels a couple of months ago and it is a total surprise, since I was talking to some colleagues and showing them a well known malware that detects Vmware, and voila! it ran properly without realizing that it was running in a virtual machine. For the curious, the returned address is '0x8003f400'

Saturday, 27 January 2007

Yersinia VTP exploit

We finally did it. We (Alfredo and I) released the exploit for the VTP vulnerability we found in 2005. We are not sure if it is a remote code execution, so by now we have released the DoS just in case any person smarter than us can release an exploit for remote code execution. The vulnerability was found when we were developing Yersinia, coding the VTP support. We made a very hard work for discovering some Cisco propiertary protocols like DTP and VTP since there is no public information about them.

It cannot be considered as a critical vuln since you need to be connected to the switch (so only an internal employee could cause the DoS, beware!), but I guess nobody likes their internal network not to work properly, so we consider it as a medium one.

What it is something weird is that when Cisco answered FX advisory, they didn't tell anything about us, and for sure those vulns and our vulnerability are closely related. Anyway, we have waited for more than 2 years to release it, so in our opinion, it's enough time for all Cisco customers to upgrade their IOS.

Tuesday, 9 January 2007

Outsourcing the coding lifecycle

Nowadays it is more and more common to outsource the old inhouse programmers to some external companies usually located in India, Argentina, China, ... I thought that it was only an US big vendor choice, and that it was rarely seen in the old Europe, but I was wrong. One of the key reasons for such thing is the price per hour. At least in Spain for one programmer you can get almost 10 programmers in those countries.

But there are many issues to take into account if you are interested in hiring those guys. I'll try to summarize some of them in order to try not to compromise your code quality:

  • Coding methodology: it doesn't matter if they prefer extreme programming or any other methodology. But they do need to have one, and one that fits to your requirements.

  • Documentation: document, document and document your code. And in a language that you can understand. The same for the variables names, procedure names, etc

  • Secure programming: you need to verify that they know very well some aspects of secure programming, and that they avoid some nasty bad coding practices that could lead to a XSS, SQL Injection, remote include, buffer overflow or any other vulnerability.

  • Good versioning system: all the trunk and branches code should be properly tagged

  • Code efficiency: I wish it wil be so

  • Stress and test methodology: for each version released

  • Analysis and design proper documentation

  • Formal verification (just kidding, but why not?)

But those advices are normal ones. I'd suggest to give them a try and hire them for a small snippet of code. And if you are still interested and do a big project with them, please consider to perform a white box and black box security audit (as well as other tests in order to check everything) when they have finished coding just to be sure that you won't be an easy target for the attackers and the media.

Anyway, each time I hear something related to this subject, I can't help thinking about the kids that are used in some countries working in those bad conditions...