Belgian Security Blognetwork

HITB Amsterdam Wrap-Up Day #2 [/dev/random]

Fri, 25 May 2012 20:02:21 +0000

I’m just back at $HOME. Let’s go for the second day wrap-up! This morning, I walked to the hotel in the sun to take a breakfast. Very nice weather over Amsterdam again today! Bruce Schneier was the second keynote speaker.

Do I still need to present him? He came to talk about ”Trust, security and society” which is the topic of his new book. Bruce has always a new book to promote!

Bruce Schneier Keynote

In the real life, we feel safe. We trust people all the time (the taxi driver, the server at the restaurant, the pilot who brings us to Amsterdam, etc). Society does not function without trust. How society makes this work? Trust is a really complicated concept! When you say “I trust a friend“, you speak about the person, not his actions. We can also trust actions of people in a specific context. Back to the first example with the taxi driver, we don’t know his motivations, we just trust him to drive us to our destination safely. Another example: trusting a server who gives us a bottle of water. For airlines, you don’t trust people (the pilot) but you trust the airline company which should produce skilled pilots. You don’t have to know how a system works, you just trust it (ATM machines are a good example). But if there are too many factors, the system will collapse. “Parasites” can only survive if they are not too good. Security is how we can set the level of trust to an acceptable level, otherwise it will collapse. They are different types of pressures:

Moral : We fill bad if we do, we don’t want to (Do I steal those goods or not?)
Reputation: What people will think of your behavior
Institutions: They have rules and enforcement has been delegated

The problem with the two first type of pressures: They don’t scale (societies are growing) And what’s the power of reputation? Bruce gave a funny example. In a company, people can buy coffee. They have to leave some coins next to the coffee machine. At the end of the day, a comparison between the money and the number of coffee cups give the percentage of people who paid (or not). A study showed that only be adding a picture of eyes behind the coffee machine, the number of paying people increased.

Technology allows our society to get better in lot of different ways (more people, more complexity, more social network, distances, frequency, etc) Wait, it looks like a definition of the Internet. Internet is just a copy of the real society from a security point of view, new attack vectors are used by criminals like in real life. Attackers can make use of innovations faster cause they are not limited by boundaries. To maintain good security is to react quickly by evaluating what attackers will do next. A final problem is that society is not always right. The assumption that a group is correct is not always true! It this topic interest you, read Bruce’s book! Bruce is really a good speaker, no slides just stories and real-life examples!

After a coffee break, Andrei Costin talked about the danger of PostScript files. Why PostScript? MFP’s (“Multi Functions Printers“) carry a lot of abuse potentials. They contain confidential documents, they remain unpatched, they are (sometimes) facing the Internet or are available on the network. Modern printers are targets since a decade! Did you know that lot of printers are facing the Internet? And generic MFP payload delivery occurs using Word or Java. Back to PostScript! PostScript is used to handle complex procession tasks. This is a programming language: Stack based and turing-complete. PostScript printer driver transforms document to PostScript streams for specific devices and data stream on PRN. Windows based systems can process PostScrtipt files too (via an interpreter) and execute code on your PC. PostScript is like a Java sandbox. It has simple control statements (if/else, loop, while) and simplest DoS is an infinite loop:

!%
{}loop

Demo time! How to kill Word with less then 10 characters.

PostScript Killing MS Word

Another demo: “Dynamically types concatenate” aspect, by example to evade IDS:

({) (}) (l) (o) (o) (p)
count 1 sub { mergestr } repeat
cvx
exec

Next demo: Real world application: MS Office PostScript crash! What about GhostScript? Dynamic document forging/generation can be used with some Social Engineering techniques. Andrei gave an awesome example with a rogue PostScript file; If the file is opened with Ghostscript nothing happened otherwise the malicious code is executed. Example of a real attack? On a PC the invoice show an amount of 100 EUR but once printed: 1000 EUR Who will read the document just printed? It will be signed! As said Bruce before, we trust the printer!

PostScript can also address some web2.0 issues? Some online services are also vulnerable to rogue PostScript documents. 20+ online services were found to be vulnerable at different level (Google was one of them). Some fun facts? Some GhostScript are running as root. Some runs GS without -dSAFER, some run vulnerable versions (heap and stack overflows).

What about physical devices? Installation of firmware upgrades is performed via PostScript documents. Admin restriction fails to prevent memory dumping. Even if devices are protected at interface level. API’s remain available. HTTPS/IPSEC secrets are “default” and “leaky”: they are in memory! Printers protected by a PIN code or a badge reader are also vulnerable. Document is also available in the memory!

Memory Dump of a Printer

Can you imagine performing a network scan via printers? Printers use lot of protocols to detect devices on the network. Guess where this information is stored? In memory of course, using the same techniques, you can retrieve information about the network topology without using any active scanner on the network. To perform social engineering, coupons, discount codes are great! People like free stuffs! Conclusions: Don’t print suspicious documents. Printing is bad for environment but also for your security Andrei’s papers are available online.

The next talk I attended was “How to use Taint to find vulnerabilities?” by Alex Bazhanyuk and Nikita Tarakamov. In parallel to this track, there was the one about the new IOS jailbreak. But I decided to stay in the same room to follow Nikita’s talk. Too many people went to the jailbreak session.

Nikita Tarakamov

What is taint analysis theory? Taint sources are network, keyboard, memory, disk, function outputs. Taint propagation is a data flow technique. Static taint analysis is performed over multiple paths of a program. More information about taint analysis can be found here. BitBlaze is a binary analysis infrastructure to automatically extract security-related properties from binary code. SASV main parts are IDA pro plugins and BitBlaze: Vine + utils, TEMU + plugins. Then I was lost, too complex for me!

After the lunch break, there was two talks in parallel about mobile operating systems: “Bypassing the Android Permission Model” or the second part of the IOS jailbreak. I decided to attend the IOS one for the fun. There were rumours that the new jailbreak will be released! The talk covered the A5. There is no tethered jailbreak on A5 because there is currently no public boot level exploit for it. But they found a way to use Racoon as an injection vector. The problem was: How to copy Corona files on the file system which is read-only at boot and how to bypass ASLR? VPN settings are not validated by configd before being passed to Racoon. The dream team explained step by step how they successfully exploited the while stuff. One the payload installed, the next step was to find a way to trigger a VPN connection? They discovered that Safari can trigger this to perform certificate based authentication. But typing an URL in Safari is boring, they used a Webclip.

The Dream Team

Next step, the sandbox. What’s the sandbox? Code name “Seatbelt“, based off the TrustedBSD MAC (“Mandatory Access Control“). Sandbox.kext is a registered MAC policy. How to get the patched copy of raccoon (1-modified byte) onto the device? ptrace is not working well and Apple makes it unrestricted but it can control an unsandboxed process. To resume:

Create a non sandbox version of raccoon
Find notified PID
Put notifyd’s main thread on the IPC thread
Block notified with our exploit IPC message
Write rest of ROP stack to shm
Launch the exploit

The team explained in details all the steps to own the IOS devices. More information available here:

So, after the talk, the official news of the day was there: the jailbreak for 5.1.1 is publicly available but greenpois0n.com was temporary down. My opinion, they brought it down during the talk to be sure to release the exploit at the right time. This announce caused a flood of Twitter messages! People were following the talk worldwide waiting for “the” announce. Congratulations to the Dream Team. Once you see the talk it seems easy but they passed days of investigations to achieve this!

The next talk was about the Amazon cloud services. It started later because the speaker, Kenneth White, was unavailable!? When he started the presentation, he first talked for a long time about health researches (viruses, diseases) and the associated processed to remediate to them. Finally, he switched to the main topic: Amazon! Everybody knows this major player in cloud technologies. What are the promises of AWS (“Amazon Cloud Services“)?

Scaling
They are busy with the boring part of the infrastructure
On demand
Pain reduction
Zero procurement headaches
Cost (!)

The killer feature is indeed the cost of the public cloud! You will fail if you compare VM’s to a cloud. Your SAN/NAS is not the cloud. Could you survive to a DDoS without the cloud? Finally, by using the cloud you can focus on more interesting stuffs in your job. Kenneth reviewed interesting information about AWS. Who’s behind?

Who's Behind AWS?

What’s their grow? Some interesting numbers: They hired 22.5K new employees. They advertise 800K public IP addresses. What about their data centers infrastructure? Most information is publicly available:

Facility built-outs, availability zones & regions
Power capacity and redundancy
Pictures
Physical , process and technical controls.

About the data centers, did you know that they are build by one of the most powerful company called Digital Reality? To analyse their backbone, BGP is your best friend. But you’ll have to take time to analyze all the peers!

AWS Datacenters Locations

I expected more details about Amazon. I was a bit disappointed by the content of the presentation. The real Amazon stuff started at the middle of the talk!

Finally the last presentation was performed by Marco Balduzzi about “SatanCloud – a journey into the privacy and security risks of a cloud computing“.

Marco Balduzzi on Stage

The talk used Amazon (again!) EC2 – IaaS (“Infrastructure as a Service“). Marco refreshed our brain with a brief review of the cloud computing. Most of us are using the cloud everything. You use gmail.com isn’t it? Three models exist:

SaaS: Software is provided (ex: salesforce.com)
PaaS: Computing or solution platform (ex: Google apps)
IaaS: Computers, Storage, firewall, networks are provided (ex: EC2)

The talk focused on IaaS where the market leader is Amazon. EC2 provides access to a virtualized server (Amazon Machine Images). AMI’s are provided by Amazon but users may provide their own images as well as third-party companies. AMI’s can be build from a live system, from an ISO or another AMI. Configuration is simple: credentials, resources (sizing), the region where start the instance and an inbound firewall. The instance will be available via a public IP like “ec2-IP-region.computer.amazonaws.com” over SSH/RDP. First important thing to keep in mind, Amazon don’t care about the AMI security! Then Marco reviewed the problem of sharing images via the Amazon catalog. What are the threats:

Secure it against external attacks
Malicious image providers?
Sanitizing the image to protect the privacy of the provider

A tool has been created to automate the security analysis of images: SatanCloud. It performs a remote scan using Nmap and a local scan using Nessus for local vulnerabilities (only the critical ones for performance reasons). What were the findings?

Detected Vulnerabilities in AMI's

Incredible: 98% of Windows and 58% of Linux AMI’s came with critical vulnerabilities! 87 Debians AMI’s still had the notorious SSH vulnerability. Two AMI’s where infected by viruses. Some Trojans with key logger were found. Two Linux AMI’s were configured to send logs to a remote host! Some private keys can be installed on images and left behind the execution and use to make new images.

Leftover Credentials on AMI's

About forgotten keys? 56 private keys were found to log in to other machines. 54 of them even not protected by a pass-phrase! Linux systems have shells which generate history files. Those files were also scanned and 869 history files were found:

Interesting Data Extracted from History Files

The next investigation was: Are deleted data really removed? AMI’s can be bundled using different methods. Block based building methods are vulnerable to file undelete attacks. 1100 Linux AMI’s were inspected using extundelete. They recovered 28GB of data! (SSH private keys, PGP keys, password files and many documents). And for Windows AMI’s? WinUndelete is your best friend! Same issue…

This research was performed with the contribution of Amazon Security Team. Vulnerable AMI’s status was changed from public to private. A tutorial was created to help customers to share their images in a secure way. Good collaboration from Amazon!

Lessons learned? Prepare your own image otherwise update the software, enable the firewall, delete (safely) unwanted data, check for outgoing connections => harden your server as if it was local (best practices). A very good talk to share with all system admins who play with Amazon EC2! My preferred one for the second day.

The closing keynote was given by Jaya Baloo from Verizon: “Identify, Privacy and Security“. Jaya’s first question was: “Isn’t it time the Internet had an identity solution?“.

Jaya Baloo on Stage

We have too many passwords. This generates too much risks and, for enterprise, it’s complex and cost money. A question immediately raised from the audience: “Why complexity is bad?” Jaya think that a simple authentication mechanism could benefit to the security of users. “We need an identity ecosystem in the cloud“, Really? The challenge is a good balance between privacy and identity insurance.

A mention to an interesting online service provided by rapleaf.com: They grab data from the Internet and based on email addresses lists you have access to plenty of information (age, gender and location are free). Why collect identifies? advertising market! Privacy legislation is principally aims to protect you against government and specific organizations. But it does not address against organizations or the mistake of their employees. Jaya made a good review of the problematic of the implementation of a unique authentication system.

Then the closing ceremony with the results of the different contests and a word from the organizers. This year, the venue changed and it was (IMHO) positive. The hotel was nice and close to restaurants, bars. I left immediately after the talks and was unable to say goodbye to old and new friends. So I do it now: It was nice to meet you once again (for some), for the first time (for others). See you soon!

HITB Amsterdam Wrap-Up Day #1 [/dev/random]

Thu, 24 May 2012 15:39:13 +0000

I’m back in Amsterdam for the third time to attend the Hack in the Box security conference! Thanks to the organizers, I received again a press pass to cover the event. Thanks to them! So, here is my wrap-up of the first day. This year, I was also present as a speaker for SIGINT. SIGINT is a bunch of “small talks between the talks” where people are free to present their research, their tool in a limited time window. After a safe travel from Belgium and the classic registration procedure, it was time for a small breakfast before the start of the busy day.

The opening keynote was presented by Andy Elis, CEO of Akamai. The keynote title was “Staying ahead of the Security poverty line“. He started with a fact: To measure the quality of your security, just count the number of phone calls you receive outside the business hours! But what’s the security poverty line? Another fact: Organizations don’t have enough resources to implement perceived basic security needs. The syndrome of security subsystems is “I can’t even do the barest minimum to cover my ass. So I’d better not do anything but cover my ass“. Then accruing Technical Debt: With every step forward, the undone work increases risks and makes future steps harder.

The value of your security can be computed with the following formula:

Value = Resources x capabilities"

Where:

resources = time + money
capabilities = skill x effort x effectiveness

Keep in mind: Nobody is going to implement perfect security. This means you have no risk but doing business is taking risks! Another reference is the Peltzman effect: What your organization thinks it can get away with… If you take away risks, you’ll take more risks. Andy gave a nice example with the NASCAR races in the United States. Very popular and safe but pilots take more and more risks!

The security value and perceived risks should be in balance. Security is an habit to remove risks. What are the perceived risks vs actual risks?

Perceived Risks vs Active Risks

Another fact: Don’t beg for money! Based on security news, people decides to spend money for security solutions! Example: Wikipedia got DDoS, we need an anti-DDoS protection. Hackers break a website, we need a WAF! That’s not the best way to implement security.

What about security awareness? The problem: auditors believe that if we just train people, we’ll get rid of problems. That’s bad. The solution is to perform simple security awareness training, web-based and automated. Don’t blame people for being pwn3d, let them share their experience! Andy’s slides are available here.

Then the real talk started. The first one was about performing Android forensic: “Turning Android inside out” by Ivo Pooters. The idea of the talk was: Can an Android phone be used to investigate a man’s death (is it a suicide?) or to investigate a data breach? Those examples were not real cases but were part of the DFRWS Forensics Challenges 2011. First step: How to perform the data acquisition? Useful data are present on memory cards (easy to read) or in the internal storage (NAND flash) with multiple partitions like /data & /cache. To make a copy of the internal flash, common tools remains useful:

# dd if=/dev/block/mtdblockX of=/sdcard/mtdblockX.img

What about the tools? There exists specific forensic tools like enCase, FTK (“Forensic Tool Kit“), Photorestore. Android uses the YAFFS2 file system (“Yet Another Flash File System version 2“). How to read such file system? Via forensic toolkits (Cellebrite UFED), via the Android emulator or load the YAFFS2 support into the Linux kernel:

Enable YAFFS2 on Linux

Once the file system mounted, use your regular tools to find for relevant information (IP addresses, names, file names, …)

Two types of analysis can be performed:

Live analysis: Using an Android emulator + ADB, Wireshark, Dalvik debug monitor and logcat
Statis analysis: Retrieve the APK’s, use APT-tool to convert AndroidManifest to clear text XML. Convert dex (Dalvik VM) to regular Jar (dex2jar). Decompile using jd-gui or another java decompiler.

Then Ivo wend deeper about the YAFFS2 and explained a technique to retrieve content when the file system is corrupted. Normally, on classic file systems, even if they are damaged, it’s possible to get files back by using file carving techniques (Note that the new Android devices do not use YAFFS2 anymore but they are a lot our there). Nice presentation which proves that our preferred toys contain a lot of personal details which can be almost always retrieved using the right tools and techniques.

The next presentation was about automatic malware analysis using Cuckoo by Claudio Guarnieri. I was waiting for this presentation because I’m currently playing with commercial solutions to analyze malware and I’d like to compare them with an open source one. What are the problems with malware analysis? There are way too many pieces of malwares. Manual analysis is simple impossible. Static analysis requires strong skill sets! So sandboxes are the best solution?

Pro: Automatic, process lot of work, usable by anyone, get the code executed
Cons: Commercial solutions are expensive! Some portions of the code cannot be executed, VM’s could be detected and it’s difficult to successfully automate the exploit analysis. Finally, without proper consumptions of the results, it’s useless.

The preparation is mandatory to define requirements and expectations, the environment must be properly designed for data and integration with other systems or storage solutions. Some questions to ask to yourself:

Why do you need a sandbox?
What do you expect to achieve?
What information is most relevant to you?
Who will use the results?
Which types? (PDF, browser exploits, Microsoft Office document, PHP/Perl scripts)

In most cases, Cuckoo can provide an answer to those questions. It can analyze lot of stuff, can be customized and integrated with other frameworks. It generates Win32 call traces, dropped lines, screenshots, network traffic dump and reports. It is based on three components: Scheduler -> Analyzer -> Reporter.

Claudio performed several demos of Cuckoo analyzing different types of malwares.

: Live Cuckoo Demo

It looks to be very reliable and I recommend you to test it (who never received a mail with a suspicious attachment?). If you don’t have time to play or resources to run your own instance of Cuckoo, why not have a look at: malwr.com. This website is a front-end for Cuckoo and work like virustotal.com. You submit your files and they are analyzed. Claudio and his team made a great job. This tool is definitively on my todo-list! Note that the current version only supports Windows VM’s but they are working on MacOSX and Linux versions.

During the lunch break, I presented my tool pastemon.pl and the associated website leakedin.com. This is the second time that I present it (first time was during BlackHat in March) and I received positive comments about it. It seems that people are interested in the pastebin.com content. The session was well organized and I was very happy to see many people take time to listen to me. Thanks to all of them!

After the lunch, I attended the presentation called “Whistling over the wire…” by Arnauld Mascret. Behind this title, Arnault explained how to find interesting information from open sources (OSINT) and how to create new tools to perform the intelligence phase? He explained from A to Z how an attack can be conducted against a victim using mainly the social network Twitter and an URL shortener service. Is it possible to perform stealth targeted attacks? Yes, the main idea is to use your own (rogue) short URL service and promote it on Twitter to attract your victim to use it.

Twitter Attack Surface

The different steps were deeply explained one by one up the live demo of the victim’s compromised computer. Conclusions for this talk: The risk is low. You need other vulnerabilities but all the tools are available and it works! Question from audience: How long does it take to realize this kind of attack? Arnault’s answer: “It depends on the victim but a few weeks at least!“. This proves that attackers have plenty of time to conduct their attacks! (compared to limited scope assigned to pentesters).

The next presentation was about digital satellite television. Adam Gowdiak gave a deep overview of the security threats in this domain. Let’s be clear: modern Set-Top-Boxes are complete computers and became more and more complex. They are online and users don’t have a clue about the risks (“Hey, it’s just television after all!“). Most of them runs on Linux with a Java VM for applications. I learned that Java Applications (Xlets) can be broadcasted in MPEG streams! Even if Set-Top-Boxes have good security mechanisms (Embedded SSL Certificates, HTTPS scheme only, chroot sandbox, IP tables, no listening TCP ports, statically linked binaries, custom JAVA file system, binary code obfuscation, etc), Adam demonstrated that they are also vulnerable.

Set-Top-Box Architecture

How to get device access? Adam explained all the steps to fully pwn the box starting with a Java script injection via a rogue photos album name. He successfully executed code, accessed the file system and memory and leaked file descriptors (/dev/kmem, /dev/mtd0). A demo was the capture of some streams outside of the box. Nice talk but less interesting for me. In parallel to this one, a talk about SAP (again!) was held. To conclude his presentation, Adam expressed his curiosity about the new connected television. For sure, they are also vulnerable to similar attacks.

The last talk of this day: “Windows shopping, Browser bug hunting in 2012” by Roberto Liverani and Scott Bell. Why Browsers? Because they are everywhere and nice targets with all their extensions! This talk could be called “The browsers wall of shame!“. Roberto reviewed in details several attacks on different browsers:

Firefox Use After Free < 11
Maxthon – XCS and SOP Bypass
Avant Browser XCS & SOP Bypass
Firefox, patched in 3.6.14
Opera Use-After-Free
Firefox/Opera – XCS

Firefox Use-After-Free PoC

I won’t give details about the exploits here, they are fully reviewed and explained in Roberto’s slides. Just some conclusions:

Disclosure fail! (Opera this one is for you!)
Bug complexity vs impact (injection bugs are simple but impact can be significant)
Delegated security (presenting browsers as secure as IE or Chrome give false sense of security to end-users)

Last but not least, Rop Gonggrijp – a well-known Dutch Hacker & Activist – presented the closing keynote. He came in emergency to replace the scheduled speaker. Rob is a great speaker. What did he say? The repression is there! (instead of fixing the security issues) Governments dreamed of controlling us. It’s done! Are you aware of the printers yellow dots? They want total surveillance but “If cyber-crime increases by a factor of 10, can it be stopped by surveillance?” asked Rop. Data centralization is already over, we are now decentralizing everything (in the cloud). We continuously update our profiles online (linked in, twitter, etc). If you are living in Europe, you already uploading your data to a power block you don’t control. Is working for a national security agency safer than for a Romanian cyber-crime cartel? How to make the world a better place, safer? Selling security problems to nations is not responsible disclosure!

Rob Gonggrijp

This closes the first day! Note that all presentations are made available online a few minutes after each talk. You find them here. Tomorrow, I’ll write the second wrap-up. If you need to follow real-time reactions, don’t hesitate to follow me on Twitter (@xme) or friends like @corelanc0der or @seccubus who are also covering the event. Tomorrow will be for sure the “Apple Day”

Content for Brucon 0x04 aka BruCON 2012 [BruCON]

Wim Remes — Wed, 23 May 2012 13:00:00 +0000

Hello Friends, Recently we received some questions (again) about the move to Ghent and if that would mean that BruCON would change it's name. That is certainly not the case. We could have avoided...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Pastemon.pl Upgrade [/dev/random]

Mon, 21 May 2012 18:02:18 +0000

Just a quick blog post to announce that I just committed a new version of my pastemon.pl tool on github.com. I’ll present it (and the associated website leakedin.com) this Thursday at HITB Amsterdam during a SIGINT session.

What’s new with this version? First some bug fixes! (yes, I’m writing buggy code!) But there are also new features/options.

Opposite to the “_EXCLUDE_” feature, I added the “_INCLUDE_” one. This could help you to give more granularity to your regular expressions. Example: To search for references to the Visa credit card, use:
```
+4[0-9]{12}(?:[0-9]{3})? _INCLUDE_ (visa|credit|card)
```
This will reduce false positives. The pastie will be flagged only if it contains a credit card number and one of the three words in the same text.

All the configuration has been moved from command line arguments to an XML file. It became difficult to maintain them in a single command line. The new syntax is simply:
```
./pastemon.pl --config=filepath [--debug] [--help]
```
An XML sample configuration is provided in the repository.

If you enable the dump of pasties to a directory, the matching regular expressions are added as headers to help you to remind why they were dumped.

SMTP notifications have been added.
Detection of duplicate pasties is performed based on the Jaro-Winkler algorithm. Pasties which are “close” to an already matching one won’t be reported.

If you’ll attend Hack In The Box in Amsterdam, feel free to come and say hello!

Searching With VirusTotal [Didier Stevens]

Mon, 21 May 2012 05:04:33 +0000

Did you know that you can search VirusTotal? You don’t have to submit a file, but you can search for the report of a file has been submitted before. You use a cryptographic hash (MD5, SHA1, SHA256) to identify the file.

There are several tools to submit a batch of files to VirusTotal, but I didn’t find any that just searches VirusTotal for a list of search terms via VirusTotal’s API.

Thus I wrote my own Python program. It accepts a file with a list of hashes, and produces a CSV file with the result. Here is an example displayed with InteractiveSieve:

To get this program working, you need to get a VirusTotal API key and add it to this program. You need a VirusTotal account to get your API key.

And my program respects VirusTotal’s rate limitation (4 requests per minute), I don’t want it to DoS VirusTotal.

virustotal-search_V0_0_2.zip (https)
MD5: 0d3c70213dd59cc935ed999a038237d6
SHA256: ~~BD213BBC55A9048DBB7B890209E2831EF81049B45ABE9091E01F0692F4F23283~~

What Are You Sharing with Dropbox? [/dev/random]

Sat, 19 May 2012 14:15:51 +0000

Dropbox is a well-known online service which allows you to share files between computers. If, in the past few months, new outsiders came on the same market, Dropbox remains the number one. If files are synchronized between Dropbox software clients, they also provide features to share files with third-party who don’t have a Dropbox account. How? By creating “links” to those files. It’s easy: In your Dropbox folder, select a file, right click and select “Dropbox -> Get Link“. Your direct URL will look like this: “http://www.dropbox.com/s/wg0ih0qywujn77y/myfile.zip“. Then, share the URL with your peers who just have to point their browser to it to access your file. Easy!

But if your files are available via HTTP(S), this means that anybody can access them. We just have to guess valid URLs. Guessing the 15-characters strings is doable (brute-force) but will require a ~~lot~~ waste of time. Where can we find plenty of existing URLs? In search engines of course!

I wrote a Google crawler and let it run during approximatively ten days. It was not easy. If Google is a champion to grab our data, they don’t allow extensive use of their search engine! You are often blacklisted and have to fill a CAPTCHA. They present you a “sorry page” to prove you are not a bot:

But some techniques can be implemented to evade their tests:

Search across multiple TLD’s (easy, they have all of them
Change your User-Agent string randomly
Use open-proxies randomly
Do NOT use Tor, they blacklist the exit-nodes
Use other anonymizing services (like anonymouse.org)
Add random sleep() between queries

My crawler searched for pages containing “http[s]://[dl|www].dropbox/s/*“. For every hit returned by Google, the corresponding URL was also visited to parse and extract the Dropbox shared links. Finally, all found URLs were visited (500.000+ pages were processed) and data downloaded. Of course, a lot of them provided the same content or same links (example: all conversations in forums, mailing-lists archives).

Interesting to mention, when I downloaded all the files in batch from Dropbox, I did not implement special techniques like the ones to search on Google. And I was never blacklisted! I’m just wondering if Dropbox have controls in place? Did they see my traffic?

All the files were reviewed and here are some findings. Let’s start with some statistics:

2240 unique Dropbox URLs were found
1762 files were downloaded (HTTP 200)
116 requests returned an HTTP 403 error
332 requests returned an HTTP 404 error
45.57 GBytes was downloaded
The biggest file was 2.09GB (a RAR archive with WAV files).
Average file size: 26.32MB

A “403” error corresponds to a bad file name (ex: typo error in the URL). A “404” means that the file was removed by the Dropbox user. Here we can already make a conclusion/recommendations. When users share files with open links, they often don’t remove it once the file has been downloaded by the third parties. For me, shared links are temporary links! Dropbox allows to “cancel” a shared link without deleting the file.

What are the most shared file types?

File Type	Found
data	1088
Zip archive data	383
JPEG image data	354
ZIP archive data, at least v2.0 to extract	295
JPEG image data, EXIF standard	167
JPEG image data, JFIF standard 1.01	140
RAR archive data, v1d, os: Win32	86
ZIP archive data, at least v1.0 to extract	83
PDF document, version 1.5	71
PDF document, version 1.3	63
PDF document, version 1.4	62
ISO Media	60
JPEG image data, JFIF standard 1.02	45
JPEG image data, EXIF standard 2.2	44
Audio file with ID3 version 2.3.0	41
ASCII text	41
PE32 executable (GUI) Intel 80386, for MS Windows	36
Microsoft Word 2007+	30
Microsoft Excel 2007+	22
JPEG image data, EXIF standard 2.21	18

What were the most obscure file type? Just two examples:

A Fortran source code
A x86 boot sector

Some filenames were explicit and attracted my attention immediately (like “Report-04-2012.xls“). By doing this exercises, you immediately understand why social engineering attacks are so successful and why people suffer of “clickmania“. It’s really tempting to open such files!

First, the pictures. I was surprised: only one picture was pornographic material. Lot of screenshots and error messages were found. I also saw a lot of pictures of good for sale and, a classic, network schema’s! 50% of the pictures were took using smartphones and contained of course interesting EXIF data (GPS coordinates).

The office documents were also a good source of findings. To briefly resume, I found:

A list of weapons (!) for sale (pictures, prices, stocks)
Political documents (propaganda)
Resumes (with all private details of course)
Employees lists
MDB files (Microsoft Access)
Business plans
Attorneys documents (infringements reports)
Meeting minutes
Manuals (cars, mobile phones, tools)
Student thesis

The best one was for sure a complete scan of a real-estate contract completed with all details:

(Click to enlarge)

Of course, I scanned the files with an anti-virus (ClamAV). On the 56 executable files found, only 6 were infected with Trojans (10.71%). I also found a lot of Android application packages (*.apk) files. I did not extract meta-data from those Office files but I’m sure I could find interesting stuff too.

Another interesting finding? Developers also enjoy the Dropbox sharing feature. I found lot of source code (HTML, JavaScript, XML, PHP). It’s easy to develop and share your source code, no need to upload your source files, just share them and include them in your applications. However, when you download the file directly, the source code is disclosed. Example: https://www.dropbox.com/s/388v3j55z4210e1/test.php.

What can we conclude from this small analysis? Dropbox links do not reveal who shared the file. There is no way to find back the account owner, except if personal information are disclosed in the shared file. And… they are! Shared files are difficult to exploit to collect information about a target (during the reconnaissance phase of a coming attack). Anyway, keep in mind that shared files can be read by anybody! This feature must be used with due care and attention. If you really need to share sensitive data, encrypt them! Which is always good when sending files into the Dropbox cloud…

First BruCON 0x04 volunteer meeting on 24-May in Ghent [BruCON]

Seba Deleersnyder — Mon, 14 May 2012 10:19:00 +0000

We are gearing up towards BruCON 0x04, which will take place in Ghent this year. Join us for the first volunteer meeting on May 24 in Ghent! Timing is: 17:00 at the Aula to recon the...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

ExitProcess Shellcode [Didier Stevens]

Mon, 14 May 2012 00:19:26 +0000

I wrote shellcode that calls ExitProcess for my TaskManager.xls spreadsheet.

Now I’ve added the asm files (sc-ep.asm for 32-bit and sc-64-ep.asm for 64-bit) for this shellcode to my library.

Remark that the 32-bit version assembler code, that was generated with my simple shellcode generator, has a ret instruction after the call to ExitProcess. This instruction will never be executed, as a call to ExitProcess does not return.

You can find this shellcode on my shellcode page.

Monitor your Monitoring Tools [/dev/random]

Thu, 10 May 2012 18:14:39 +0000

We (and I’m fully part of it) deploy and use plenty of security monitoring tools daily. As our beloved data is often spread across complex infrastructures or simply across multiple physical locations, we have to collect interesting information and bring them in a central place for further analysis. That’s called “log management“. Based on your collected events, you can generate alerts, build reports. Nice! But… if systems and applications generate [hundreds|thousands|millions] of events, those ones are processed by the same kind of hardware running some piece of software. Hardware may fail (network outage, power outage, disk crash) and softwares have bugs (plenty of).

This morning, I received several alerts like this:

** Alert 1336642415.2196887: mail  - ossec,
2012 May 10 11:33:35 xxxxxxxx->ossec-monitord
Rule: 504 (level 10) -> 'Ossec agent disconnected.'
Src IP: (none)
User: (none)
ossec: Agent disconnected: 'xxxxxxxx-10.0.0.1'.

This message warns that an OSSEC agent is not alive and is very suspicious. And a few minutes later, same message for another server, and so on, one by one… After a quick check, all servers and network connections were fine. The problem was on the OSSEC server itself. A typo error in a new rule put some processes in a fuzzy state. Killing and the process and restarting properly the OSSEC server solved the problem. This example based on OSSEC is just an introduction to the topic of this quick blogpost: When you deploy security monitoring solutions, be sure to monitor them too!

In parallel to the security checks performed by your log management solution, extra verifications must be performed to control the flow of events and, when required, trigger other types of alerts. A classic situation is when events are pushed to the log management platform. It will wait passively for incoming events. This can be resumed as “No event received? Everything ok! Let’s have some sleep…“. Examples of suspicious situations:

You did not receive any new Syslog events from a specific host for x minutes.
→ The Syslog daemon might be down or a network outage prevent UDP packets to reach the Syslog concentrator.
If you did not process new lines from an Apache log file.
→Apache might be in trouble or the file system might be full. Can you read the log file? (wrong permissions)
You did not receive any new alerts for x hours.
→Your log management system might be overloaded, some process killed or a file system being full.

There are plenty of nightmare example like those. How to prevent them?

Like any other information system, keep an eye on the system health (control the CPU, memory, storage, processes). Disk space is critical and directly depends on your amount of data and retention policies.
Send keep-alives to your remote [pollers|sensors|agents] (whatever you name them).
Control any derivation of your regular events flow (compared to a baseline for a defined period – hourly/daily/etc). Example, is it normal to not see any login events from your Active Directory on a Monday morning?
Implement queuing mechanisms to prevent events to be lost (when they are automatically pushed to the central system).
When possible, collect events using pull technologies. If the log management platform has troubles, events won’t be lost and will wait until being retrieved later.

Don’t forget: Log management solutions are your best friends when you need to investigate a security incident. There is nothing more frustrating than gaps in your events timeline!

Why Isn’t my PoC Launching calc.exe? [Didier Stevens]

Tue, 08 May 2012 11:17:53 +0000

I quickly developed a dll that kills calc.exe when started from anything else than explorer.exe.

This way, you can mess with all those PoCs that launch calc.exe

nocalcpoc_V0_0_0_1.zip (https)
MD5: 05798543571B45E19536181DC7346330
SHA256: ED0FEDC6096420F6F09F4980A1CE36F7C4BC0A8C9191F4DFC27FA4C77D547976

Update: TaskManager.xls V0.1.3 Killer Shellcode [Didier Stevens]

Tue, 01 May 2012 10:49:25 +0000

My TaskManager spreadsheet provides you with a couple of commands to terminate (malicious) programs. But sometimes these commands can’t terminate a process (for various reasons).

Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself.

Here I’m using the command “e ep64″: this command injects and executes the shellcode found in sheet ep64 (as hex strings) in process notepad:

The result is that notepad will terminate itself.

When using TaskManager on a 64-bit system, you’ll have to pay attention to the following: to terminate a 32-bit process, you inject 32-bit shellcode (ep32) and for a 64-bit process, you use 64-bit shellcode (ep64). And a 32-bit process can’t access a 64-bit process’ memory through the Windows API, so if you are using 32-bit Excel on a 64-bit machine, you won’t be able to inject shellcode into 64-bit processes.

FYI: If you want to know more about 32-bit and 64-bit processes on x64 Windows, I’ll bedoing a workshop at Brucon this year: “Windows x64: The Essentials”.

TaskManager_V0_1_3.zip (https)
MD5: 38DED14A7A468923C3552A6135CC570C
SHA256: CABD1F73C8D069A85EA439D7AFF736723B5759A6ED929FB3F21A4ADD3D0605BC

InteractiveSieve [Didier Stevens]

Tue, 17 Apr 2012 11:33:34 +0000

Interactive Sieve is a program I developed to help you analyze log files and other data in tabular form. It’s designed to help you when you don’t know exactly what you’re looking for. You sift through the data by hiding or coloring events (or data) that are not relevant.

I started writing this program in 2007 and use it often. But there is a problem I’ve not been able to fix: when you hide a lot of rows, it takes a long time, probably because of the redraw operation that takes place for each hidden row. Maybe someone will find a solution.
Update: big thanks to @woanware for fixing the redraw performance problem!

For more details on how to use the program, select Help / About.

InteractiveSieve_V_0_7_3_0.zip (https)
MD5: F36B245584DE143A15F484AA6220D67F
SHA256: AE0804EA739AEDC5FA32B7F6FD99AB99A35F7742B98953A653E0C24725E0FE6F

Getting around in Ghent! [BruCON]

Wim Remes — Fri, 13 Apr 2012 13:05:00 +0000

As you all start registering and looking for places to stay, we have created this Google Map to give you a good overview of import locations. The red pin is the conference location, the red bed the...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Registrations are open [BruCON]

Wim Remes — Thu, 12 Apr 2012 13:30:00 +0000

Oh boy, have the past few weeks been a rollercoaster ride. Putting up a registration engine for a conference is one thing, putting up one that you know will be scrutinized by the very public it...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Our first winners announced. [BruCON]

Wim Remes — Mon, 26 Mar 2012 13:30:00 +0000

Hello BruCONneers, a few weeks ago in preparation for our training schedule for September, we launched a short questionnaire so we could better understand you as an attendee. Just to make sure...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

SANS Network Penetration Testing and Ethical Hacking (SEC560) – August 2012 @ Sydney [Wouter Veugelen]

Sat, 10 Mar 2012 23:42:24 +0000

In August 2012 I will be facilitating another SANS SEC 560 Network Penetration Testing and Ethical Hacking course.

In the SEC560 course, we address detailed pre-test planning, including setting up an effective penetration testing infrastructure and establishing ground rules with the target organization to avoid surprises and misunderstanding. Then, we discuss a time-tested methodology for penetration and ethical hacking across the network, evaluating the security of network services and the operating systems behind them. Attendees will learn how to perform detailed reconnaissance, learning about a target’s infrastructure by mining blogs, search engines, and social networking sites. We’ll then turn our attention to scanning, experimenting with numerous tools in hands-on exercises. Our exploitation phase will include the use of exploitation frameworks, stand-alone exploits, and other valuable tactics, all with hands-on exercises in our lab environment. The class also discusses how to prepare a final report, tailored to maximize the value of the test from both a management and technical perspective. The final portion of the class includes a comprehensive hands-on exercise, conducting a penetration test against a hypothetical target organization, following all of the steps.

Registering for the course can be done via the following URL: http://www.sans.org/mentor/class/sec560-sydney-aug-2012-veugelen

10% Discount

I arranged a 10% discount for my blog readers. Contact me to obtain the discount code.

New PGP key [Security4all]

Bkay — Mon, 27 Feb 2012 17:01:00 +0000

Just a short notice that I updated my PGP key. Barely anyone ever used my key and sent me encrypted email. But as I'm lately getting more involved in CERT/CSIRT related activities and communication with teams around the world, there was a need for starting encrypting my mails again.

My key can be found on the usual keyserver(s) and the fingerprint is: 16BD 01DD DD08 1144 48DF 4464 D3FB 8E48 B68C F245

I'm not sure if I'll pick up blogging again soon, but don't unsubscribe just yet. My move to Japan was very interesting and the adventure has only just started!

(Cartoon courtesy of XKCD)

Unwanted Toolbars [miekiemoes]

noreply@blogger.com (miekiemoes) — Thu, 05 Jan 2012 12:38:00 +0000

While I know this is old news and has been blogged/posted about a thousand times already - I still notice a lot of users having problems with an overload of toolbars they don't want/need.

More and more software (mainly free software) bundle their software package with a toolbar since it's an extra source of income.
While in some cases, a toolbar *can* be necessary or useful, always ask yourself if you really need/want this toolbar.

Additional Toolbars can slow down your browser since it takes longer to start them up, can interfere with certain webpages you want to view, can have compatibility issues with other toolbars/add-ons already installed or can even crash your entire browser.
Apart from a toolbar/BHO, some toolbars also add additional loading points (run key, service, appinit_dlls..) which may cause an extra slowdown of your computer in general.
Toolbars also take up extra space in your browser, leaving you with less content of the webpage you want to view.

Do you really want your browser to look like this?

If the answer is Yes, then I suggest you check with your eye specialist or stay away from computers and find another hobby.

Also, not all toolbars are as harmless as they look. Do you want them to monitor your browser activities? What sites you visit? Collect other info from your computer?
Do you want them to redirect searches? Change your startpage? Display Advertisements (targetted Ads)? If the answer is No, then uninstall them or don't install them in the first place.
In most cases, legit software with a toolbar bundled, offers the user the option to uncheck the toolbar during install. Too bad most have these toolbars pre-checked already, so many users who install the software just click through the installation screens (next) in a hurry and end up with toolbars they don't want or need.
And that's still the biggest mistake users make.

That's why it is always a good practice to read every part of the installation screens the software displays, so you don't miss the option where you can uncheck the toolbar or other junk during install.
Also, it's a good practice to always read the EULA/Privacy Policy when you want to install certain software.

Example:

Unfortunately, not every software bundled with a toolbar/other junk offers this option to uncheck during install. This is bad practice and such software should be avoided in the first place.

In case you have (accidentally) installed a toolbar you didn't want/need in the first place, use the Windows’ built-in "Add/Remove Programs" in the Control Panel ("Programs and Features" in Vista/Win7) and look if it's listed there so you can uninstall it.
Or, in case it's not listed there, you can disable or remove them them via your browser:
For Internet Explorer: http://technet.microsoft.com/en-us/magazine/dd364987.aspx or http://mintywhite.com/windows-7/7security/5-easy-ways-uninstall-toolbars-internet-explorer-8/
For Firefox: http://kb.mozillazine.org/Uninstalling_toolbars
For Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=en&answer=113907
For Opera: Click Tools > Preferences > Advanced Tab > Toolbars (listed on the left). There you can select and delete the toolbar.

In general, if you don't use/need toolbars, uninstall them or don't install them in the first place.

ABN AMRO Phishing mail [miekiemoes]

noreply@blogger.com (miekiemoes) — Wed, 30 Nov 2011 09:22:00 +0000

Another phishing mail I received today. Looks like my mailbox attracks phishing mails this week...
This certainly gives me a reason to blog more often again ;-)

This one is targeting Dutch ABN AMRO bank account users.

------

Geachte ABN-Amro klant,

® Op dit moment is ABN-Amro bezig met het vernieuwen van de systeembeveiligingen. Hierbij vragen wij u om uw persoonsgegevens opnieuw in te vullen door op de onderstaande link te klikken

Wij zullen de gegevens verifieren en als het nodig is de aanpassingen opnieuw in het systeem opnemen. Hierna wordt telefonisch contact met u opgenomen om de gegevens te beveiigen.

------

This one is sent from the spoofed mailaddress ABN AMRO NV customercare @ abnamro.nl
When you click the Log in button, it redirects you to a phishing page where it asks you to fill in your bank account and passnumber.

It looks like there are a lot of similar phishing mails going around lately to target ABN AMRO bank account users and I fear a lot of new ones will follow.
In case you have received a similar mail from ABN AMRO, please report it via their website:
https://www.abnamro.nl/nl/overabnamro/f_aanvragen.html

Beware Telenet.be users - Telenet.be phishing scam going around [miekiemoes]

noreply@blogger.com (miekiemoes) — Sat, 26 Nov 2011 14:25:00 +0000

First of all - WOW! It has been ages I have blogged here ! I really should start to blog more often again. Work & life has kept me real busy lately, so unfortunately there's not much extra free time left over anymore.
If only there were 36 hours in a day, so much I still want to do and learn...

Anyway, Just received the following in my mailbox today:

Dear 'pandora.be' E-mail User,

We are currrently upgrading our database and all account need to be verified.To complete your account activation with us, you are required to reply
to this message and enter your password in the space provided (********) you are required to do this before the next 48 hours of the receipt of this email or your database will be de-activated from our database.You are required to reply this message to telenet.be helpdesk database office on their email address: help-desk@email.com

Full Name:
username:
Password:
Thank you for using pandora.be.
Copyright 2011 © pandora.be web Team.

Stacy Williams
PANDORA.BE HELP DESK OFFICE
Hosting: Telenet Operaties N.V.
IP Address: 195.130.144.20

Telenet.be (Pandora.be is controlled by telenet.be) is one of the biggest ISPs here in Belgium
Above is a fake email and in no way associated with Telenet.be.
This mail is designed to steal your telenet.be credentials.
Telenet.be would never ask for your credentials via email, nor would any other company.
As a matter of fact, never ever give your passwords/credentials via mail, no matter who the company claims to be.

If you received this mail, delete it - certainly do not respond to it.
In case you have become a victim of this mail already and responded to it, change your password asap.
For telenet.be users, see here.

Ernst & Young’s 2011 Global Information Security Survey [Wouter Veugelen]

Sat, 12 Nov 2011 10:36:14 +0000

Ernst & Young released its annual Global Information Security Survey.

Download PDF report

Ernst & Young information security services

The unofficial BruCON party guide (plz RT) [Security4all]

Bkay — Fri, 16 Sep 2011 07:36:00 +0000

The third edition of BruCON is about to happen and I'm really looking forward to it. This is an attempt to the Hitchhikers Guide to the... euhm... fun bits of BruCON. Besides the workshops, presentations and training of BruCON, there are also some social events you can attend. So here we go.

First is SushiCon, the pre-BruCON get-together at a Japanese restaurant. Details here. After dinner we'll head for the Belgian beer heavens. You can just join us for a beer later as well. Check Twitter for last minute movements.

Second main event is of course the BruCON party @ Havana Club on Monday evening! Feel free to throw some events of your own and list them on the wiki. For ad-hoc meetings, follow the #brucon hashtag.

The BruCON wiki also has a small list of bars / restaurants (plus recommendations of beer) etc you can explore! It's far from complete so please expand this page based on what you know or discover!!

Now what about Travel aka How to get around? Apart from the basic BruCON Travel page, here are some tips:

Once in the city, the metro/tram will probably be your main mode of transportation! The metro connects the BruCON hotel (Ibiz) with the city center (Grand place) and the BruCON Venue @ VUB. Check out this awesome Google map with all of the known BruCON (party) locations.

http://g.co/maps/fkm5y (hat tip to @5M7X)

Metro Stops: Here is the network map of the Metro: http://www.mivb.be/netplan-plan-reseau.html?l=en
Payment: You can get a pre-paid 10-journey card at newsstands and vending machines at the stations: http://www.mivb.be/10-voyages-ritten.html?l=en (if they sell the MOBIB one, it's RFID based on Calypso). The difference between the MOBIB and the JUMP card is that the JUMP also allows you to take the train between the different Brussels stations (but not beyond Brussels).

Getting from Ibiz hotel to Grand Place:
Take Tramway route 4 direction GARE DU NORD. At 8:08, get off at stop BOURSE (5 min.) or alternatively, you can walk for +-25 minutes.
Getting from VUB (BruCON) to Grand Place:
Walk to stop DELTA (3 min.). Take Metro route 5 direction ERASME. Get off at stop GARE CENTRALE (12 min.) and walk to Grand Place. (check Google map)
Getting from Ibiz hotel to VUB:
This PDF map from VUB explain all the possible transits from all major stations (South (Midi), Central and North)

So I hope this helps. Have fun but keep it safe! See you all at BruCON!

UPDATE: First new event on Saturday already popped up (hat tip to Andreas):

Moeder Lambic feat. Stone Brew Co.
http://www.moederlambic.net/events/en/events 30 Belgian beers on tap, 30 US specialty beers from Stone Brewing Co on tap, and to finish it off, the Cantillon Zwanze will be served on saturday. Historic event not to miss for any beer geek. Date: Saturday, 17th @19:00

Keep checking the events page for updates!!

OpenDLP: Open Source Data Loss Prevention [Wouter Veugelen]

Sat, 10 Sep 2011 23:47:25 +0000

OpenDLP is a free and open source, agent- and agentless-based, centrally-managed, massively distributable data loss prevention tool released under the GPL. Given appropriate Windows, UNIX, MySQL, or MSSQL credentials, OpenDLP can simultaneously identify sensitive data at rest on hundreds or thousands of Microsoft Windows systems, UNIX systems, MySQL databases, or MSSQL databases from a centralized web application. OpenDLP has two components:

A web application to manage Windows agents and Windows/UNIX/database agentless scanners
A Microsoft Windows agent used to perform accelerated scans of up to thousands of systems simultaneously

http://code.google.com/p/opendlp/

http://blog.rootshell.be/2010/04/30/keep-an-eye-on-your-data-using-opendlp/

Help improve the CISSP community. Support Wim. [Security4all]

Bkay — Mon, 29 Aug 2011 18:28:00 +0000

My blog kinda died down after being involved with BruCON and I wasn't really planning on blogging again unless I had some good (original) content. Since I'm going for the JLPT1 certification in the next years, this may take a while. BUT I'll make an exception today to support Wim.

A lot of us in the infosec community have a CISSP. The first reason is to bypass the HR checklist filters but is there really an added value besides it? I hear a lot of the people in this community being more critical with the years. Especially the CISSP code of ethics is something I think is too black and white.

But why only complain about it? Why not TRY to change things for the better. This is why Wim Remes has decided to try for a board election. I know him personally and I can vouch a 100% for him. Here are some of his points:

A closer collaboration with the information security community at large. This means recognition of what is currently considered to be an outlawish community but what I consider as a treasure trove of knowledge and capability that remains untapped. Either because we are afraid of what we don't understand or because hackers are still suffering from a bad image. Not in my book!
A review of the certification requirements for the flagship (ISC)2 certification, the CISSP, in order to bring it back to the level it once was on. Ideally with the incorporation of more in-depth requirements on a technical level, requirements in soft skills and, possibly, the addition of a written paper requirement that would show the knowledge the candidate has acquired during the learning process. This last requirement would feedback into the community becoming a valuable resource for security professionals globally.
I am from Europe. I still feel that many of the subject covered by (ISC)2 and other organizations are focused on the US. My goal is to widen the efforts to a global approach that brings communities from different continents together instead of seperating them further. While there is a different in laws, culture, etc. across continents, I firmly belief that we have more in common and there needs to be a better collaboration in order to address the security challenges we have coming at us.

Check out more details here. Or listen to the latest Eurotrashsec podcast where he explains more about his views.

For the latest updates, follow the #wim4board hashtag on Twitter

Don't just take my word for it. I can also see that I am not the only one who thinks this is a good idea. He has the support of a lot of good people.

You don't have the certificate? Then give out a shout to him online and throw up a blogpost!

Got for it Wim!!!

How to follow #Blackhat / #Defcon / #BsidesLV without being there (2011 edition) [Security4all]

Bkay — Wed, 03 Aug 2011 21:09:00 +0000

Note: update of my similar older posts

Well, I'm one of the poor souls who couldn't make it to the Blackhat/Defcon / SecurityBsides fun. There are some ways to follow the events in Vegas (real time). ;-)

The first tool is to use twitter and follow the hashtags #defcon, #blackhat and #bsideslv. If you have a twitter account, I would recommend installing tweetdeck and setting up 3 search columns. For those without a twitter account, you can use the Twitter search (and import it through RSS) or even better: twitterfall.com which is more interactive. Alternatively, give monitter also a try. Has a more Tweetdeck column "feel". I like it.

Keep an eye on the Security Bloggers Network (RSS). A lot of security bloggers will be covering the event.

You can also monitor Flickr for the tag 'defcon19' (RSS). And this site collects all the @blackhat and @defcon pictures from twitter: http://hashalbum.com/blackhat and http://hashalbum.com/defcon

This social media aggregator also looks nice: http://twubs.com/bsideslv, http://twubs.com/defcon and http://twubs.com/blackhat (all your tweets and twitpics are belong to us!) ;-)

I think that's more then enough to follow the event except for a live video stream. And in a limited way, for Blackhat there is one: https://www.blackhat.com/html/bh-us-11/bh-us-11-uplink.html. Giving it a go as we speak.

If you have more tips, feel free to mention them in the comments.

SANS Network Penetration Testing and Ethical Hacking (SEC560) – November 2011 @ Sydney [Wouter Veugelen]

Tue, 21 Jun 2011 10:01:16 +0000

Starting November 2011 I will be hosting and teaching the SANS SEC 560 Network Penetration Testing and Ethical Hacking course at the Ernst & Young Sydney facilities. Beware that this is the only time this SANS course will be taught in Sydney in 2011! SANS will be coming to Sydney in November with a range a different courses, however the SEC560 class is not one of them.

Attendees will learn how to perform detailed reconnaissance, learning about a target’s infrastructure by mining blogs, search engines, and social networking sites. We’ll then turn our attention to scanning, experimenting with numerous tools in hands-on exercises. Our exploitation phase will include the use of exploitation frameworks, stand-alone exploits, and other valuable tactics, all with hands-on exercises in our lab environment. The class also discusses how to prepare a final report, tailored to maximize the value of the test from both a management and technical perspective. The final portion of the class includes a comprehensive hands-on exercise, conducting a penetration test against a hypothetical target organization, following all of the steps.

Registering for the course can be done via the following URL: http://www.sans.org/mentor/details.php?nid=24964

10% Discount

I arranged a 10% discount for my blog readers. Use the discount code Mentor10 when registering for the course!

Information Security Forum (ISF) Standard of Good Practice for Information Security 2011 [Wouter Veugelen]

Sun, 05 Jun 2011 07:46:54 +0000

Information Security Forum (ISF) released the 2011 version of Standard of Good Practices for Information Security .

The 2011 Standard represents a major advance from the previous version, and is the most business-focused, practical and comprehensive guide available for identifying and managing information security risks in your organisation. This edition features significant enhancements to existing content, including 35 new topics – such as information security strategy, cloud computing, consumer devices, virtual servers, digital rights management and data storage.

The 2011 Standard is now also closely aligned to commonly-adopted information security-related standards, including ISO, COBIT, NIST, PCI DSS and ITIL. Not only does this help you comply with the world’s recognised information security standards more efficiently, it also supplements these standards with real-world, business-focused guidance that helps you meet the challenge of ever-changing information security risks.

ISF Standard of Good Practice for Information Security download (ISF members only)

Are you a pentester? Then read this! [Security4all]

Bkay — Thu, 24 Feb 2011 13:26:00 +0000

If you work in a Redteam, then the following "project" is certainly one to take note of!!!

The Open Penetration Testing Bookmarks Collection …is just that, a collection of handy bookmarks I initially collected that aid me in my day to day work or I find in the course of research. They are not all inclusive and some sections need to be parsed but they are all good reference materials. I find having this Hackery folder in Firefox an easy way to reference syntax, tricks, methods, and generally facilitate and organize research. Hopefully the initial set will grow and expand. Opening it up to everyone will facilitate a knowledge transfer.

Speaking of Pentesting, a lot of people have been complaining about the difference of quality and the lack of a standard for Pentesting assignments. So here we have it: the "Penetration Testing Execution Standard" has been kicked off by some experienced people from the field! It's far from finished but I expect some good things to come from it. Check it out!!!

The Dutch National Cyber Security Strategy [Security4all]

Bkay — Wed, 23 Feb 2011 19:29:00 +0000

Our Dutch neighbors will start a National Cyber Security Center. GoverCERT.nl will play a major role and published the strategy document this week. A lot of non-brainers are in there like the need for more international collaboration etc... There is an English version so you can read it yourself.

Download here

They did mention the need for more individual responsibility but apart from awareness campaigns, I'm not sure how they will achieve this. A lot of reports show that 30-50% (some even more) of consumers are infected with some kind of malware and this is certainly a problem that we need to tackle.

There was one little detail in the report that sparked my interest: "International Watch and Warning Network (IWWN)". I never heard about this before so please excuse me while I'll go Google it!

Does your country have a strategy? Link it below! ;-)

When a CERT has to break the law [Security4all]

Bkay — Wed, 23 Feb 2011 19:07:00 +0000

I spotted an interesting article on ZDnet Australia today: "Fraudsters escape as laws bind AusCERT".

AusCERT head Graham Ingram said the logs were previously viewable in plain text, but are now stored in a protected MySQL format.

"They are encrypted and we can't break that by law," he told an audience at the National Security Australia conference in Sydney yesterday.

This was the part that caught my eye. Is this a new trend? Is this a legal issue limited to Australia? At least I hope so. There have been many examples on police getting exempt from certain security laws like the "police trojans" (Germany). I have mixed feelings about such actions but I totally support a CERT or forensics team bypassing "protected" parts of a system if crimeware is involved. I'm just wondering if the malware writers had this legal issue in mind when they 'protected' the info or if they were just protecting their assets against competitors?

Speaking of CERTs, CERT Polska published a really interesting article today on the new Zeus malware involving banking trojans that infect Blackberries and Android phones. Check it out here. Now that banks are gearing towards dual authentication through phones and/or mobile apps, the threat landscape just followed. Where there is money, there is.....

Rogue HDDDefragmenter [miekiemoes]

noreply@blogger.com (miekiemoes) — Mon, 01 Nov 2010 08:11:00 +0000

HDD Defragmenter is a rogue which appears quite easy to get rid of. That's not what I wanted to talk about. It's about how much Rogues have improved.

Once installed, you get the following message:

Your executables cannot launch. Clicking the 'Scan Hard Drives' button brings up the next image:

When scanning, it even has a FAKE safe mode. Desktop just goes black with the corners showing 'Safe Mode':

Next images show how convincing these rogues can be:

To get rid of it, scan with Malwarebytes or another Antivirus/Antispyware application.

Credits go to sUBs for screenshots and analysis

Fighting Trojan Horses is a Family thing [miekiemoes]

noreply@blogger.com (miekiemoes) — Sat, 30 Oct 2010 06:55:00 +0000

My cousin Jimmy also fights Trojan Horses, but in a slightly different way...

More info and Biography of Jimmy here:

http://www.ultimatemotorcycling.com/2010/red-bull-fmx-motocross-conquer-troy
http://espn.go.com/action/fmx/blog/_/post/3847313

Google Analytics opt-out [Eternal sunshine of the geeky mind]

Wed, 26 May 2010 13:16:07 +0000

Google is finally giving endusers the option not to be monitored by Google Analytics anymore through the release of a new browser add-on named "Analytics Opt-out Browser Add-on". It is available for Internet Explorer (versions 7 and 8), Google Chrome (4.x and higher), and Mozilla Firefox (3.5 and higher). Get it here!

Secure googling [Eternal sunshine of the geeky mind]

Wed, 26 May 2010 12:49:44 +0000

From now on, you can protect your Google searches from eavesdropping as Google enabled HTTPS on its search engine.

A few notes on their blog indicate that it is still a 'beta' option:

- only the web search is SSL encrypted (image or map searches, for example, are not)

- slightly slower loading times to set up encryption

- your data and searches are not hidden from Google (if you read between the lines, that means that if law enforcement requests information about your search behavior, Google can still provide it) only from others that might eavesdrop on your connections

IT Security for the Next Generation contest [Eternal sunshine of the geeky mind]

Wed, 26 May 2010 12:47:50 +0000

Kaspersky is organizing the IT Security for the Next Generation conference later this year, and is calling all students of European universities to submit their research papers for a contest to participate in the conference and have a chance to present their paper for a large audience. Students from any European university can participate, free of charge, by writing a research paper about one of these topics:

Technical nomination

- Trends in Anti-Spam Development Techniques, Methods in the Spam Arms Race and new Innovations

- Dangers of an increasingly Networked World

- 'In the Cloud' Security

- Future Technologies for Detecting and Combating Malware (e.g. artificial intelligence, fuzzy systems, p2p networks)

Social, economic and legal nomination

- Emerging Threats (e.g. social network security, embedded systems security, mobile security, online banking security)

- Challenges and Opportunities for IT-Security Companies within the next 10 years

- Impact of technologies on Data Protection, Copy and Intellectual Property Rights and Jurisdiction

- Education in IT Security - Trends and Questions

More info here.

Google to EU: Trust us [Eternal sunshine of the geeky mind]

Tue, 19 Jan 2010 23:13:10 +0000

I'm usually a big fan on all things Google (from a user perspective, not professionally), but using the storage of search logs as an excuse for data data protection? Nu-uh!

Naked elves steal login credentials [Eternal sunshine of the geeky mind]

Mon, 14 Dec 2009 23:12:46 +0000

Sophos shed some light on a new Trojan 'Troj/Lneage-A' that takes advantage of the cliche that all MMORPG'ers are lonely males, popping up naked elves on the screens of drooling nerds while their game login information is stolen.

I'm waiting for the female version!