tag:blogger.com,1999:blog-42796415423020352812024-03-18T07:25:48.444+01:00A bunch of Security MattersSome thoughts about Information Security from the point of view of a Spanish guy who likes to ride the horse of his imagination and walk through the everlasting nature.Johnny Foohttp://www.blogger.com/profile/12717375481103313703noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4279641542302035281.post-848897874905842007-02-08T06:49:00.000+01:002007-02-02T04:23:26.138+01:00RSA Conference 2007This year RSA Conference isn't as good as expected. I can't notice any difference between last year products and this year ones. It's just as if the market stoped last year and the innovation was wandering without any proper route. Nowadays everybody talks about NAC, but also last year!! Big vendors as Cisco, Juniper, RSA, Verisign, Microsoft, IBM, CA, etc only speak about the same subjects: some kind of NAC, log management, two/three factor authentication and old IDS/IPS style appliances.<br /><br />I've been reviewing all the booths and I haven't been able to locate any innovation. Just some little booths were they were managing other important issues like malware <b>real</b> detection/protection (and not anti-virus stuff), date leakage or some idea trying to bind the technical facts to the risk analysis field (and not looking only at the firewalls ruleset!!!)<br /><br />What happens with VoIP, smartphones, online fraud, botnets, etc that are targetting all the users? I guess that they don't care.<br /><br />Anyway, conferences such as RSA are soooo different to, for instance, BlackHat. The more I attend any of those, the more I think that there are two different mainstreams when talking about information security. One is the 'enterprise' feeling of security, and the other the daily security threats that we face up as normal users.Johnny Foohttp://www.blogger.com/profile/12717375481103313703noreply@blogger.com30tag:blogger.com,1999:blog-4279641542302035281.post-42724968609967876312007-01-28T17:43:00.000+01:002007-01-28T17:48:48.870+01:00Analyzing malware inside ParallelsThe nifty thing about using Parallels for analyzing malware code is that I haven't seen yet any sample that can detect that you are using Parallels. It is clear that it is only a matter of time, but it is something interesting. For example, when using the SIDT instruction, they always look for Vmware. Vmware usually returns '0xFFxxxxxx' when asking for its IDTR address, and just by comparing the first byte you can already know if you are inside Matrix or not.<br /><br />But in Parallels, it returns the same address as in a real Windows host. I switched to Parallels a couple of months ago and it is a total surprise, since I was talking to some colleagues and showing them a well known malware that detects Vmware, and voila! it ran properly without realizing that it was running in a virtual machine. For the curious, the returned address is '0x8003f400'Johnny Foohttp://www.blogger.com/profile/12717375481103313703noreply@blogger.com0tag:blogger.com,1999:blog-4279641542302035281.post-62689780664674219352007-01-27T00:22:00.000+01:002007-01-27T00:39:11.539+01:00Yersinia VTP exploitWe finally <a href="http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0532.html">did</a> it. We (Alfredo and I) released the exploit for the VTP vulnerability we found in 2005. We are not sure if it is a remote code execution, so by now we have released the DoS just in case any person smarter than us can release an exploit for remote code execution. The vulnerability was found when we were developing <a href="http://www.yersinia.net">Yersinia</a>, coding the VTP support. We made a very hard work for discovering some Cisco propiertary protocols like DTP and VTP since there is no public information about them.<br /><br />It cannot be considered as a critical vuln since you need to be connected to the switch (so only an internal employee could cause the DoS, beware!), but I guess nobody likes their internal network not to work properly, so we consider it as a medium one.<br /><br />What it is something weird is that when Cisco answered FX advisory, they didn't tell anything about us, and for sure those vulns and our vulnerability are closely related. Anyway, we have waited for more than 2 years to release it, so in our opinion, it's enough time for all Cisco customers to upgrade their IOS.Johnny Foohttp://www.blogger.com/profile/12717375481103313703noreply@blogger.com1tag:blogger.com,1999:blog-4279641542302035281.post-89767764280806347362007-01-09T21:53:00.000+01:002007-01-09T22:38:17.501+01:00Outsourcing the coding lifecycleNowadays it is more and more common to outsource the old inhouse programmers to some external companies usually located in India, Argentina, China, ... I thought that it was only an US big vendor choice, and that it was rarely seen in the old Europe, but I was wrong. One of the key reasons for such thing is the price per hour. At least in Spain for one programmer you can get almost 10 programmers in those countries.<br /><br />But there are many issues to take into account if you are interested in hiring those guys. I'll try to summarize some of them in order to try not to compromise your code quality:<br /><ul><br /><li>Coding methodology: it doesn't matter if they prefer extreme programming or any other methodology. But they do need to have one, and one that fits to your requirements.</li><br /><li>Documentation: document, document and document your code. And in a language that you can understand. The same for the variables names, procedure names, etc</li><br /><li>Secure programming: you need to verify that they know very well some aspects of secure programming, and that they avoid some nasty bad coding practices that could lead to a XSS, SQL Injection, remote include, buffer overflow or any other vulnerability.</li><br /><li>Good versioning system: all the trunk and branches code should be properly tagged</li><br /><li>Code efficiency: I wish it wil be so</li><br /><li>Stress and test methodology: for each version released</li><br /><li>Analysis and design proper documentation</li><br /><li>Formal verification (just kidding, but why not?)</li><br /></ul><br />But those advices are normal ones. I'd suggest to give them a try and hire them for a small snippet of code. And if you are still interested and do a big project with them, please consider to perform a white box and black box security audit (as well as other tests in order to check everything) when they have finished coding just to be sure that you won't be an easy target for the attackers and the media.<br /><br />Anyway, each time I hear something related to this subject, I can't help thinking about the kids that are used in some countries working in those bad conditions...Johnny Foohttp://www.blogger.com/profile/12717375481103313703noreply@blogger.com0tag:blogger.com,1999:blog-4279641542302035281.post-605947713032104862006-12-30T20:47:00.000+01:002006-12-30T21:02:57.965+01:00Malware is in the airThe more malware I analyze, the more I think that 'the bad guys' do not worry about the work they are doing. In fact, it is something strange, and I cannot understand. Some of the samples show that they have some in-depth knowledge in some areas (windows processes, registry, hiding, etc) but at the same time, they use simple and well known packers (like UPX) or they do not even use any packer at all.<br /><br />If I were a 'bad guy', and if I have spent some amount of dollars paying a programming expert for developing a complex trojan, I would care myself and I would use some housemade packer in order to complicate its analysis. I'm tired of seeing anti-debugging code (SIDT, INT 3, threads, SEH, ...) that rules, but using UPX sucks. At least if you change some UPX headers (for instance the segment name) you cannot run the UPX normal binary in order to unpack the malware.<br /><br />The same applies for the encryption method used. I would say that perhaps 75% of the malware if they encrypt something they use a XOR encryption. I know that it is easy to implement, but come on, the public key cryptography is something that we (should) daily use.<br /><br />In summary, let's have a happy new year 2007 and check out <a href="http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=359">the Mark Russinovich video about detecting malware</a> before the end of the year!!Johnny Foohttp://www.blogger.com/profile/12717375481103313703noreply@blogger.com0tag:blogger.com,1999:blog-4279641542302035281.post-17364032985352333892006-12-14T21:33:00.000+01:002006-12-14T22:06:43.731+01:00Old DNS stuffToday I was trying to test <a href="http://www.honeynet.org/tools/honeysnap">honeysnap</a> (which, by the way, it is a very useful tool) with some DNS data in a pcap file and wanted to test some HINFO and TXT DNS records. But the problem I came across is that it is very rare to find any HINFO record nowadays in the Internet!!!<br /><br />According to the RFC, HINFO is supposed to be the record for describing the hardware where the DNS server (ISC bind usually) is running on. Almost every security paper and/or manual I can remember say that "you must delete your HINFO record in order not to give strategic information to your attackers" Ouch!!!! Come on, if you do not want to say your real hardware, at least say something funny, like "This is running an illegal version of Windows" or better, "The DNS server hardware is something that came from the outer space"...<br /><br />Anyway, after looking desperatly for any DNS server with any HINFO I found one in Canada. The domain www.uwo.ca (The University of Western Ontario) has a HINFO record, that is "Sun Ultra Enterprise 2 Solaris 2.6". Pretty clasic, isn't it?Johnny Foohttp://www.blogger.com/profile/12717375481103313703noreply@blogger.com1tag:blogger.com,1999:blog-4279641542302035281.post-56375189382348951532006-12-10T19:53:00.000+01:002006-12-10T20:18:24.061+01:000-days and the Hollywood moviesIt is more and more common to see the term '0-day' or 'zero day' in the marketing stuff, most cases from IDS and/or IPS vendors. This is something that they easily claim but they never tell anything more about it. Yes, I know, 0-days is a cool and nifty word and if you say to your customers that your appliance protects from '0-days' in the moment you deploy it, it is something that will increase your sales rate, ooooopppsss!!!<br /><br />But, what is a 0-day? According to the <a href="http://en.wikipedia.org/wiki/Zero_day">Wikipedia</a>: 'Zero day or 0day refers to software, videos, music, or information unlawfully released or obtained on the day of public release'. In summary, something that you get even before it gets released. The Wikipedia has also another definition more related to this post subject: 'Zero-Day exploits are released before, or on the same day the vulnerability — and, sometimes, the vendor patch — are released to the public. The term derives from the number of days between the public advisory and the release of the exploit'. So in this case it is a well-known vulnerability (with its exploit) that has not a patch available from the vendor. Hmm, and what about the private vulnerabilities that even the vendors don't know anything about? Not only the individual's exploits, but the companies focused on this market (iDefense, Tippingpoint, ...) Because both those individuals and companies have vulnerabilites during some period of time without notifying the vendors. Do all the IDS/IPS/Anti-XXX protect their customers from those vulns? Come on product managers, try not to make up your statements.<br /><br />Regarding to the 0-days, there is an innitiative from some known security guys (<a href="http://isotf.org/zert/">ZERT</a>) that provides some patches for those vulnerabilities that are public but the vendor hasn't released the patch. Although their effort is something worth, I don't think is something valid. I wouldn't rely on applying those unofficial patches to my boxes, that it is something that I would leave to my vendor (and something that I would complain about and request the support if needed). I'd prefer other workarounds that could protect me against those vulnerabilities, even using those IPS that announces the 0-day protection if they can be customed to protect me (that is another BIG problem nowadays, they can effectively detect a new vulnerability if they have the signature, but they can be easily faked).<br /><br />Anyway, if you are interested about the public 0-days, there is an interesting page from Eeye that lists them all: <a href="http://research.eeye.com/html/alerts/zeroday/index.html">Zero day tracker</a>Johnny Foohttp://www.blogger.com/profile/12717375481103313703noreply@blogger.com0tag:blogger.com,1999:blog-4279641542302035281.post-7034915978112402252006-11-30T09:12:00.000+01:002006-11-30T09:29:14.930+01:00Contribute to the Security Community!!It seems that the number of free software/open-source projects related to Security is decreasing as the time goes by. This is something that surprises me, because there are more and more security professionals out there (just have a look to the normal security mailing lists). Some time ago, almost every month a couple of interesting and innovative security projects were released to the public community, and now it is very strange to see any interesting security project. That is something that is happening with the mailing lists; it is very rare to find an interesing opinion or comment in mailing lists such full-disclosure, bugtraq or any other similar one.<br /><br />Although that is the current situation in the public mailing lists (there are some exceptions, like the superb <a href="httplists.immunitysec.com/mailman/listinfo/dailydave">daily-dave</a> mailing list), there are some blogs that hold very interesting stuff, so now the interesting issues are migrating from the mailing lists to the blogs (just check my list on the left).<br /><br />It is important that people related to the information security community start to contribute to it; even though it is something very well known that everybody uses free software/open-source programs (nmap, ethereal, linux, nessus, snort, scapy, ..), very few of them contribute (I mean with contribute, notifying bugs, helping with the documentation, sending patches, new features requests, etc...)<br /><br />So please, if you think that those nifty tools you are currently using are worth, take a short break and think that there are many hours dedicated from people sometimes in their spare time, so try to help and improve it as it was your own and beloved project.Johnny Foohttp://www.blogger.com/profile/12717375481103313703noreply@blogger.com4tag:blogger.com,1999:blog-4279641542302035281.post-47804896490702953832006-11-27T19:42:00.000+01:002006-11-27T20:10:21.637+01:00Can ISPs block outbound connections?I'm subscribed to a DSL line at my home, and the provider is the biggest one in Spain, Telefonica. The issue I'm having with them is that they block some of my outbound connections and I am not sure if it is something for good or for bad. In fact, I have detected some URLs that I cannot connect to and I need to use a (no)anonymous proxy available in the Internet in order to connect to that URL. It seems that they are only blocking both HTTP and HTTPS connections, but it is something they shouldn't.<br /><br />Most of those URLs are either malicious URLs or fraud related URLs, but what happens if I want to access those URLs? It could be helpful that they block those URLS, but at least, they could let the user to choose if they want to be "protected" by the ISP or not. I'm supposed to have a not filtered service, am I?<br /><br />I could even understand that they filter those nasty DNS entries that could lead to a malicious site (I could end up using other DNS server), but please, do not filter my outbound connections.Johnny Foohttp://www.blogger.com/profile/12717375481103313703noreply@blogger.com1tag:blogger.com,1999:blog-4279641542302035281.post-53637773972471971232006-11-25T23:57:00.000+01:002006-11-26T00:09:28.962+01:00First post - Virtual Machine detectionLooking through my <a href="http://www.jessland.net/">colleague webpage</a>, I came across a comment about a very good packer that I'm trying to analyze, <a href="http://www.oreans.com/">Themida</a>. But the comment wasn't about Themida features, but virtual machine detection.<br /><br />Nowadays, more than 50% of the malware that we analyze has some kind of virtual machine detection in its code (typically the SIDT method), and if they detect any virtual machine, they just do nothing. So, perhaps that's a good idea for our production servers, migrating them to virtual software and in any case they got compromised, the malware code won't run on them.<br /><br />But the problem is for the analyzers: using tools like vmware is something handy, but you always end up using a real machine (I even use my own laptop to analyze the malware, so my Windows XP has been infected several times). So, what is the solution? It is fairly simple: use some of those hardware cards that restore the OS state (used by example in cybercafes), and IDA Pro with its great remote debugging. When you have finished the analysis, just reboot the box and voilá, your SO is like being just installed.<br /><br />Anyway, this post was about virtual machine detection, and the guys at <a href="http://www.intelguardians.com/">intelguardians </a>have some <a href="http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf">slides </a>about all the different methods, but there is one left, discovered by Alfredo Andrés (my Yersinia colleague and friend) with the STR instruction, check it out at our company address <a href="http://www.s21sec.com/descargas/vmware-eng.pdf">here</a>.Johnny Foohttp://www.blogger.com/profile/12717375481103313703noreply@blogger.com0