After the DAVIX Visualization Workshop in Las Vegas, Christoph Puppe approached us and asked if we were interested in having DAVIX bundled with the upcoming information security special edition of the iX magazine. Since iX is a very well-established German periodical for IT professionals, we simply could not turn down such a generous offer.

Raffy, Christoph and I put together our heads and in lightning speed we wrote up an article about DAVIX. The article gives an introduction to the information visualization process, the DAVIX toolset and features a sample analysis of checking network policy compliance using network flows captured with Argus and visualized with AfterGlow.

The special edition due to be released on October 16 comes with a multi-boot DVD with several live CDs. Apart from DAVIX there will be Avira Rescue, BackTrack 3, Damn Vulnerable Linux (DVL) and (R)ecovery (I)s (P)ossible on the disk. In particular DVL is a very interesting piece. It is a Linux distro containing as many vulnerable software packages as possible. If you are looking for a playground to train your skills or a simple way to get an environment for teaching security classes, this is it!

From a data mining and visualization perspective the conferences in Las Vegas offered a couple of highlights for me. First of all Raffy’s book Applied Security Visualization was finally launched and I had the first chance to see and hold the book with the DAVIX CD in my own hands at the bookseller booth. After hours of reviewing the book and building the live CD during the last eight months, it was a great relief that it was finally done.

I very much anticipated Greg Conti’s and Erik Dean’s talk on binary visualization (PPT Slides). Their newest tools DanglyBytes allows for interactive analysis of binary data in multiple views. The different views decode data in multiple ways. There is a view that just prints the bit stream in a window while another decodes a series of bytes as RGB value. Their demo of a Windows error dump was a revelation: Using a slider on one of the views they could adjust the column width of the view. While moving the slider Google and Wikipedia images began to appear out of the noise. I am looking forward to play around with it myself.

Another interesting discovery at the Blackhat vendor area was the company Lookingglass with their software as a service (SaaS) called ScoutVision. They have built an infrastructure that stores Internet meta information in a database and provides its customers a client software to access and visualize this information remotely. For well paying customers they offer a service where clients can tie in their own IT data.

While preparing for the DAVIX Visualization Workshop in the CTF lounge, I saw a dude visualizing network traffic in Processing. I approached him and we started chatting about visualization. Interestingly he did neither know about secviz.org nor DAVIX. Over the course of DEFCON I found out that many people are toying around with visualization as well but there is no interaction between these people. This is definitively a thing that we should be working on over the upcoming months. I hope that DAVIX will help to contract people interested in security visualization.

On Sunday our DAVIX Visualization Workshop was on (Slides). During our introductory talk on DAVIX there were about 120 attendees. We were very surprised to see such an interest although many DEFCON participants have already gone home and it was during the last three hours of DEFCON. So there is definitively potential for future activities.

After months of building and testing, the long anticipated release of DAVIX - The Data Analysis & Visualization Linux® - arrived last week during Blackhat/DEFCON in Las Vegas. It is a very exiting moment for me and I am curious to see how the product is received by audience. So far the ISO image has been downloaded at least 600 times from our main distribution server. Downloads from the mirrors are not accounted.

Additionally, Raffael Marty’s book Applied Security Visualization is now available in print. DAVIX was built with this particular book in mind. If you are looking for a methodology and not just a workable tool set, then the book is what you are looking for. The book covers all steps from the very basics to complete case studies and contains many hands-on examples. Therefore, the book together with DAVIX 1.0.1 is the perfect match for getting you started with security visualization. For a preview of the book’s content check out the rough cuts version.

All those eager to get their hands dirty immediately can find a description as well as the download links for the DAVIX ISO image on the DAVIX homepage. I wish you happy visualizing!

Although it has been very quiet on this blog for quite a while, lots of activities in the background have been keeping me busy. During the last six months I have been working on my new pet project DAVIX that relates to my interest in security data mining and visualization. But let me start at the beginning.

While playing around with visualization I found that there are lots of tools on the net but getting them to run can cause quite some headaches. So I thought that it would be cool to have an environment where all those tools are available ready to use. As time went by, the idea of a Linux live CD system materialized in my mind. Between Christmas and New Year, while watching 24C3 live streams in the background, I started playing around with SLAX, a modularized Slackware based live CD system. I found it very useful to my purpose and decided to start with it as base for the visualization live CD.

Since I knew that Raffael Marty was writing his book Applied Security Visualization, I contacted him in January 2008 and told him about my project and asked which tools should be included on the CD. Raffy was hooked by the idea from the get go and he asked me bluntly if I would do the CD for his book. Of course I agreed immediately. To get jump started with adding visualization tools, Raffy provided me with the chapter 9 of his books, which contains a list of visualization tools and instructions on how to get them running. At around the same time I got selected into the technical review board for Raffy’s book and I alternately reviewed chapters from Raffy’s awesome book and built the CD.

Since the live CD project was nameless at the time, I thought about an appropriate name for it. After toying with a couple of ideas I came up with the name DAVIX as a short form of Data Analysis and Visualization Linux®. I also liked the reference to the biblical figure David who fought against the giant Goliath. In terms of our project it means that with the “small” live system DAVIX you fight the gigantic heaps of log files and network captures.

DAVIX currently integrates about 180 software packages that contribute to about 40 high level tools for capturing, processing and visualizing data. The project is now in its final rounds of building and testing and will officially release during Greg Conti’s Blackhat and DEFCON talks. For all of you who want first hand experience with DAVIX, Raffy and I invite you to our DAVIX Visualization Workshop at DEFCON 16. The session will be held on Sunday, August 10th 2008 at 2 PM to 4 PM.

See you in Las Vegas!

Last year I traveled through Canada. One of my stopovers was in Ottawa. Very nice friends of mine have recommended that I shall pay a visit to the Parliament Hill and take a tour through the Center Block. To my surprise the parliament offers free tours through the buildings. So I decided to participate.

On entering the building, everybody got an airport quality security check with x-ray and metal detector and we were asked to shutdown our mobile phones. Then I enjoyed the tour through this magnificent building with stops at the House of Commons and the Senate as well as the newly renovated library.

When the tour came to an end, the guide announced further points of interest. As one of her final sentences she said that stuff, which got confiscated during the security check, can be collect at the desk right next to the exit of the building. I found that pretty wired. What could that be? A magnum, a rifle, a bomb, a lighter, matches? Then I let my thoughts pass…

When I moved towards the exit I observed a young guy with dreadlocks and his girl friend in the process of collecting their confiscated goods: A secateurs and a handsaw!

This week Websense reported the first Trojan using the Skype API as part of its evil workings. The currently available information does not tell us what the Trojan uses the Skype API for. As already discussed in the blog article “Proof-of-Concept Trojan using Skype API”, such a Trojan can hide its communication in the Skype network and no currently available content inspection technique will be able to cope with such a covert channel. Although the current Trojan will provoke a warning dialog from the Skype client, telling the user that a third party program wants to access the Skype API, it is most likely that adversaries will soon learn to bypass this warning using some Windows low-level API.

As we can see from the above screenshot the user can permanently enable access for a particular third party application. This prevents the warning dialog to be shown in future. If a user has accidentally permitted access or wants to know which applications have access to the Skype API, he or she can find a link called “Manage other programs’ access to Skype” in the section Privacy of the Skype Options dialog.

There he or she can view or modify the permissions for each individual third party application.

According to Bill Campbell’s article “Simple corporate security tip: disable Skype API and File Transfer“ there is a way to disable the Skype API using registry settings. The following registry key is officially documented in the Skype knowledgebase article 632. The policy prevents that any third party application can attach to the Skype API.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone]
“DisableApi”=dword:00000001

In- and outbound file transfers can also be disabled by a registry setting. This is documented in the Skype knowledgebase article 631:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone]
“DisableFileTransfer”=dword:00000001

After applying the file transfer policy, an error dialog is shown to the user when he or she wants to send a file from a protected client:

When sending a file to a policy protected Skype client the file transfer immediately aborts and the following error is shown:

I have verified both registry settings and they both work. In a corporate environment this allows administrators to lockdown Skype. But it requires that the user does not have administrative privileges. Otherwise the Trojan can remove these entries again. Administrators must further ensure that the registry ACL does not permit users to modify these registry keys.

As a preemptive measure I suggest that companies, who do not have Skype deployed, should also deploy the above registry settings to their workstations using Windows Group Policies. This prevents the two most dangerous use cases where employees place the Skype executable onto their system without permission. It should be noted that Skype does not require any special privileges to run. Being an ordinary user is just enough.

In my review practice I often have to look at Java source code which is used to generate passwords, authentication tokens or session ids. Ever so often this code uses the Java API class java.util.Random to generate random numbers. It is well-established in security industry that this particular random generator is not secure. Since I did not know what the reason is for this perception I started to have a closer look.

During the review of the Java API source code I discovered two vulnerabilities which cause the internal state of java.util.Random to be partially exposed or easy guessable. The paper Ruining Security with java.util.Random demonstrates two techniques how security mechanisms based on java.util.Random can be attacked and under certain conditions can be broken within seconds. Using these weaknesses an attacker can synchronize into the stream of random numbers and therefore calculate all future random numbers. For security relevant code java.util.Random should never be used. At least the Java class java.security.SecureRandom with the default constructor should be utilized. This provides much better security.

If you know about other vulnerabilities in the design of java.util.Random or you know about vulnerabilities in java.security.SecureRandom I would be happy to hear about it.

Black Hat USA and DEFCON in Las Vegas are amongst the biggest IT security conferences in the world. This year Walter Sprenger and I had the opportunity to attend. Both events have been very interesting on their own merits. Whereas Black Hat is more directed towards the corporate IT users, DEFCON addresses the security geeks. For me Black Hat had the most interesting presentations and DEFCON proofed to be the better place to network with people.

The biggest topics this year at Black Hat were VoIP security, Windows Vista security and all flavors of phishing attacks (Phishing, Vishing, SMiShing). As users grow aware of e-mail based phishing they are likely to fall victim to phishing originating from other communication channels. Although web application security has been top agenda for IT security professionals for years, the situation does not seem to improve but rather worsens: Cross-Site Scripting based worms and Intranet attacks are the new kids on the block. With the large adoption of the AJAX concept new opportunities for attacks will arise. Interesting are the new advances in attacking WLANs and Bluetooth devices. At the DEFCON talks reverse engineering and privacy issues were the main topics. Of course the fun factor with all the contests (CTF, warwalking, lock picking, beverage cooling) has its own charm.

Walter and I have put together a document with the latest IT security trends (5.2 MB) we have picked up at the conferences. Some pictures have been added to give you an impression of both events. See the Black Hat USA 2006 and the DEFCON 14 proceedings for further details.

Lately I came across several Citrix and Terminal Server projects which provide a restricted set of applications to their users. This is achieved using Windows Software Restriction Policies or AppSense Application Manager to white or black list executables.

One of these permitted binaries is often java.exe. Now the problem arises that once Java is enabled any Java application can be executed on the system. This allows a malicious user to execute arbitrary Java code, like replacement shells (JSH), RDP clients (Propero Java RDP) and network port scanners. I could block java.exe but business requires that the company’s Java application must still work. This lead me into this research on how to white list Java applications in a restricted Windows environment.

First of all Java has a mechanism called Java 2 Security which allows implementing policies based on code location or digital signatures. These policies are configured through the files java.policy and java.security. When java.exe gets executed these policies are not enforced by default. To enforce the restrictions the Java system property java.security.manager must included at the startup command line:

java.exe -Djava.security.manager MyCode

This property causes Java’s Security Manager to be installed and the policy to be enforced. So far so good. But how can I pass this parameter without having it to be specified on the command line? Well Java offers the environment variable _JAVA_OPTIONS. So I thought I place the parameter into a Windows system environment variable:

_JAVA_OPTIONS=-Djava.security.manager=

Testing revealed that java.exe can be executed with the Security Manager enabled without passing the parameter on the command line directly. Further testing revealed that when I start a cmd.exe as a low-privileged user I can overwrite this system environment variable and I can bypass the Java Security Manager using following command:

set _JAVA_OPTIONS=

I tried the same from within a Microsoft Word macro. The effect is the same. According to my research and feedback from Microsoft the system environment variables can always be overwritten within the process for the local process. In the paper Software Restriction Policies in Windows XP on page 13 in Chapter Analysis of Path Rule John Lambert writes:

Environment variables are not secure, and any user who can load a command prompt can temporarily redefine them.

So this melts down to my question: Is there a way to tell java.exe to always use the Java Security Manager without the possibility of manipulation by the user?

I would be very interested to learn your ideas. For those of you who want to play yourself I provide a ZIP archive with the files I used for testing. Please send your comments by mail to: jan.monsch ät iplosion.com. I will then write-up a post with the discussion results

]]> http://www.iplosion.com/archives/54/feed/ http://www.iplosion.com/archives/48 http://www.iplosion.com/archives/48#comments Sun, 03 Dec 2006 21:15:46 +0000 jan.monsch Reports Malware XML http://www.iplosion.com/archives/48

Last week I have been googling around for comments and reactions from my report Malware Detection Rate in Alternative Word Formats which was posted in the ISC diary on August 23rd, 2006. To sum it up there has not been a lot of reactions in magazines or the like but it got at least the attention of the malware research community.
There is this very interesting follow-up article from Christoph Alme in the October 2006 edition of the Virus Bulletin. The two page article Scanning Embedded Objects in Word XML Files which elaborates how AV products can identify embedded objects in Word XML files. He shows that XML documents can be manipulated slightly, within the flexibility offered in the XML standard, and still are considered valid Word documents. Using the same VirusTotal-based testing method as I did, he demonstrates that all existing AV products can be bypassed. As you might remember my initial paper there were only three AV products capable of finding embedded malware in my run-of-the-mill XML documents.

So what does this tell us: The most likely reason is that these three virus scanners do not really understand XML document format. They most likely have no XML parser integrated or the parser only implements the XML standard partially. This once again melts down to the conclusion that the decoding capability is the name of the game.

Now let us speculate that AV products will integrate a complete off-the-shelf XML parser. Will this help? Well it will help to properly decode XML documents but it will most likely introduce new vulnerabilities in AV products so far unheard of. (Actually the motivation I am writing this article is to prevent AV vendors to release such broken products). Let us take XML external DTD references as an example. If the XML parsers are used in default configuration or are not configured properly, scanning an XML with an external reference will result in requests to external sites. That is nice. This would allow an attacker to track malware distribution or download additional exploit files to the scanning system.

With the release of Office 2007 a couple of days ago, which will have the Office Open XML format as standard storage format, the urge for XML enabled AV products will grow. My retesting today shows that the detection rate of Netsky as an embedded object in a Office 2003 Word XML is still at the same level as 3 months ago. I fear that the AV industry is not quite yet ready to protect their customers against XML delivered attacks.