Thursday 27 May 2010

Training courses - Nerd steroids

A few years ago when I was trying to break free of the more mundane trappings of IT, I decided to take some certifications. I began with compTIA and took my Network+ and Security+ exams. Imagine my surprise when these certification exams took me no more than 15 minutes apiece to ACE. They were so easy it became embarrassing to tell people that i had bothered to take them. I have considered many times going for my CCNA and CCSP but never gotten around to it. I am now in the process of taking a 10day course from infosecinstitute. This course is actually comprised of two courses jammed together into a single bootcamp. I am doing the online version of the course, unable to get my company to buy in for the additional costs of actually attending a physical class. these courses are centered around the CEH, CPT, and CEPT certifications. I am not very far into the first week of material and I am starting to get that sinking feeling again.

I don't want to bad mouth infosecinstitute and it's training...at least not yet. However, the entire first day was essential an introduction into using vmware and linux. They do this because they want to be able to cater to people who might not have experience in those areas. My question is, what are such people doing taking courses on pentesting? If you don't know how to set up a VM, or how to kill a process in linux, you've got a long way to before you can be a pentester, and it is going to take a lot longer than two weeks. This is where the steroid analogy comes in. People seem to approach these classes as a quick fix, rather like steroids. "If I take this class, i will learn to be a 1337 h4x0r".

DarkNet has a post about training courses right now too. In it he talks about how the CEH is pathetic(I am inclined to agree so far) and then talks about a few other courses/certs. Frankly speaking, these look much the same as every other one I've looked at. They seem tantalizing at first, then you realize it's the same recap bullshit and you learn nothing new.

 Let's give up on steroids guys, and start thinking about some workout regimens. I want to see training courses out there that say outright "If you don't know what the different kinds of vulnerabilities are, or if you don't know how to find SQL injection, xss etc...don't take this class" Let's have some classes that start with "So you know how to find some vulnerabilities, let's talk about advanced techniques, and things you never thought to try before". Let's talk about how you maximize your extraction from a SQL injection, or what things work in Oracle or in MSSQL, or U2, or Sybase etc. Let's talk about some advanced encoding tricks, and how to pack javascript to get around filters. Let's talk about writing shellcode to try and exploit in a buffer overflow.

I am tired of having to rehash the same crap over and over again. Then I read what things RSnake or someone else is up to. I stop and think "hrm, what are they doing differently than me. What do they do better than me. Why?" I want to see training courses that answer those questions. I want something that says "okay, you're a pentester. now let me show you how the big boys do it"

Anyways, that is my rant for the day. Stay tuned as I am going to be working on putting together a bit of a SQL Injection cheat sheet in the coming weeks. I hope to have something comparable to RSnake's XSS cheat sheet and a lot better than the other ones I've seen.

Monday 24 May 2010

Pakistan and the cyber-jihad?

Wow, I have been out of touch with current events and have been playing catch up a little. I just read about Pakistan's own ISP PieNet taking down youtube. Apparently there has been a big battle of wills between the Pakistani government and sites like youtube, facebook, and our own beloved blogger.com. Well the Pakistani government mandated that these sites be blocked. So PieNet decided to send out BGP announcements for youtube, redirecting traffic to themselves....brilliant. aside from the stupidity of this approach( as they slammed themselves with all of the youtube traffic and then got cutoff by their upstream provider) this is pretty amazing. I am not aware of anything quite like this incident happening before.

An actual legitimate ISP has blatantly and purposefully launched a denial of service attack on one of the biggest sites on the Internet, over their views on censorship. They are basically committing an act of cyberwarefare in the closest sense that the term can be applied. Cyberwarfare, in my opinion, can't really be a part of true physical conflict. It is exactly this kind of scenario, a war of ideas. Pakistan's policy has become one of attacking the largest and easiest providers of free expression to the masses. A lot of these countries have always censored heavily, and done horrible things to keep the truth hidden. This is the first time i can think of where they do it on a global scale though. What happens if we see this behaviour continue? What are the large scale implications for the internet as a whole? There's some heavy stuff going on here. I will need more time to digest it all. In the meantime, what does everybody else think?

Stored Procedures do not necessarily prevent SQL Injection

It seems that a lot of people think that just because an application uses stored procedures, it's queries must be safe. This absolutely false. Stored Procedures do not inherently add security, as they can be put together as poorly as any dynamically built query. I saw a perfect example of this the other day. An application took inputs, passed them to a stored procedures which then built a sql query by concatenating the inputs with predefined query strings. It then called sp_executesql to execute the dynamic query. The developer obviously had heard that stored procedures were safer than dynamic queries, so they went and made an SP, but they had their SP build a dynamic query. So all they succeeded in doing was pushing the problem back into the database layer instead of the app itself.

So testers and developers, please do not assume that an sp means safe. you still have to properly parameterize your queries and validate input and output. Security and shortcuts do not go together. If you think you may have vulnerable SPs like this, try running a query such as SELECT object_Name(id) FROM syscomments WHERE UPPER(text) LIKE  '%SP_EXECUTESQL%' OR UPPER(text) LIKE  '%EXECUTE%' OR UPPER(text) LIKE  '%EXEC%'
 to try and see where these venerabilities are.

Wednesday 19 May 2010

Return postage for Mr Zalewski

All due respect to Michal Zalewski. He is, after all, a very smart man. Much smarter than me, I'd wager. That being said, I disagree with some of his recent Zero Day Threat Post blog, Postcards from the anti-virus world . go ahead and read it, if you haven't already. Go ahead, I'll wait for you.....okay done?  The most glaring problem is in the logic fail around the first bullet points. Hey says that most users are not keeping their anti-virus up to date. He then claims this is to the average AV user's advantage because malware writers don't bother to write AV evasion. First of all, this seems a bit specious to me, but let's continue on to the real problem here. In the first sub-point of the second item, he says that malware authours punt their malware so fast and so widespread there will be signature updates for it quickly, and this is good.

So excuse me, Mr Zalewski, but people don't update their AV with the latest signatures, but it's okay because they push out new signatures really fast? These two points of logic can in fact work together, as strange as it seems. The problem is that, in this scenario, the user base that is all good, has been marginalized to a fraction of the total user base. So what is really being said here is not that AV blacklisting methodology works really well, but rather that the fundamental failure of this approach for the majority constitutes a success for a minority of the users. So if you are a home user, who keeps his antivirus up to date you are better off than a home user who doesn't, or a corporation that does or does not.

Now let's talk about the second failure of this thinking. Mr Zalewski is thinking in the immediate. Even if the current trend continues on for N iterative cycles, the AV users do not win. The reason for this is simple: Blacklist methodology is not sustainable where N has grown to a large enough number in relation to the resource capacity of the machine running it. Antivirus has always been a resource hog, and has only gotten worse with time. the reason for this is the escalation factor. The 'bad guys' keep coming up with new malware, new techniques, new exploits etc. So the AV firms come out with new signatures, new heuristics, and new scan engines. With every cycle, the product becomes less manageable from a resource perspective. I have had consultants tell me that 'most major companies' do not run AV products on production servers, because it is too resource intensive.

There is also the manageability of the program itself. Remember that AV is code just like any other program, and not some magical box. It's prone to bugs big and small, like any other code. The more you mess with the code, the more the chance of introducing NEW bugs into it. As the complexity increases so do the odds of deviation from expected behaviour. i'm sure that smarter people than me have expressed this mathematically, but I don't know where such a formula resides. So as the N described above continues to increase so do the odds that we will see something like the Mcafee DAT 5958 bug. This factor alone takes a bite out of the security of an AV solution, because security will constantly be fighting operational needs for resources, and every time we have a bug like DAT 5958 or the Symantec Y2k10 bug, the rest of IT hates AV more.

Now let's get back to the bit about most malware authours not using AV evasion. now, I am not Dancho Danchev  or any other malware researcher. Remember i'm just some schmuck penetration tester. That being said, I find it hard to believe this statement is entirely true. What I would be more inclined to believe is that there are now an abundance of skiddies out there using malware 'kits' to assemble tons of variant malware and distributing it. These people, of course, have no idea how to create evasion techniques and so they don't bother. They just cherry-pick. I would hazard a guess that a lot of the people really spending time on writing their malicious code, spend the time on at least some basic AV evasion.

Whether that's true or not, evasion is somewhat unnecessary. Mr. Zalewski hints at this as well in his article.  He says that they don't bother because people don't update their anti-virus, so they don't worry about signature updates. This is just a demonstration of the utter failing of blacklist methodology. The malware authours don't need to write evasion techniques, because if a signature doesn't exist, and the heuristics won't catch it, what's the point? They can release their code into the wild now, then create a new variant when the AV companies get a sig out. They can play this game for quite a while. Tools like virustotal even give them a running scorecard of how they are doing against all the major players.  Relying on signatures leaves holes you could drive trucks through. Those trucks, by the way, happen to be hauling your private data away to China and Russia.

Now please don't get me wrong here. I am not trying to call foul on the AV companies. At least not in any particular fashion. The thing of it is, if you are an MNC that got hit by a worm that exfiltrated trade secrets, and then F-Secure releases a signature a little later, that doesn't help much. It's rather like someone breaking into your house and stealing all of your stuff. the cops catch the crook, but may not get your stuff back. you don't blame the cop, but you do wish they had caught the guy while he was trying to break in, not after the fact.

As always, discussion and opinions are always welcome here.