Epic FALE!

So I got back from Security Bsides Atlanta last night. There were some interesting talks out there. Especially the one on Google and Bing hacking. Some really neat stuff there. Right now though, I want to talk about the guys from FALE . I heard these guys were going to be at Bsides from Schuyler Towne's Kickstarter update. Here's what Schuyler had to say for all of your nonbackers:

I'm sorry you can't be there. However - you can and should go to B-Sides, Atlanta! My friends at FALE: http://lockfale.com/, will be there running workshops, giving talks, and bringing tons of goodies. It's their first time running a Lockpicking Village, but I think they've got an honest shot to make it one of the best in the country. I just shipped them 1.5 gigs of material I've produced too, so hopefully that will add to their already considerable stores.

So go to Bsides I did. Hang out at the Lockpicking village I did. I walked in the door and John immediately says "Hey man, come on in and pick a lock". All the FALE guys introduced themselves, and I told them I was there because of Schuyler's post. That really got things going. Then I told them about the Charlotte Hackerspace and things really got going. I spent a lot of time in the Lockpicking Village, picking locks and hanging out with these guys. They had three challenges running, each one resulting in your name being entered into a drawing. The first Challenge was to simply pick a lock. The second challenge, "The MacGuyver Challenge", was to make your own tool out of scraps and open a lock with it. I went what I thought would be the easiest route, and made a padlock shim. It took me 6 or so tries to get one the right size that wouldn't break in the lock. In the process I cut my thumbs up pretty good. In the end I did open a Brinks padlock with my shim though. The Final Challenge was "The Pro Challenge". this involved opening on of their higher difficulty locks with security drivers. It took me almost an hour and half but I finally got that sucker open, and I was super happy! In the drawings,

 I actually got drawn twice in the giveaway, once for my MacGuyver win, which got me a nice starter set of the Sparrows Wizwazzles. I also got drawn for my Pro Challenge win and would ahve taken the largest Southern Specialties basket, but they had a strict 1 win policy. They wouldn't let me upgrade either =/ . It was okay though, because the guy who did win was pretty excited about it, and I was really happy for him. Besides, I will have a big set of Schuyler's picks coming anyways.

The day wrapped up and I braved the god forsaken Atlanta beltway to start home. Once I was clear of the heaviest traffic I decided to pull of at a Wendy's for dinner. Imagine my surprise when I am up at the counter and hear someone shout my name. I turn around, and there are the FALE guys. So we sat down, had dinner and hung out for a little bit. I have gotten past the straight boring facts now, so let me just say this: These guys are so awesome. I had so much fun hanging out with these guys it was nuts. They are smart guys, no doubt, but they are also super friendly, and just plain cool. One of the greatest things about them is their passion. These guys know alot about lock picking, and over that dinner they shared a lot of tips and secrets with me. What was great though, was not the knowledge itself, but the atmosphere around that table. These guys loved not only doing locksport, and knowing locksport, but sharing locksport. These were not like some of your typical hackers, who like to hoard knowledge and dole it out in small bits to make themselves pseudoimprotant. These guys couldn't stop spilling knowledge all over the place. It's like they couldn't help themselves!

They asked me about what I thoguht they could do better next time. I had really very little to offer from this standpoint, except that it would have been cool to talk more about wafer, disc, and tubular locks, and that competitions would have also been cool. They also asked me a bout the HackerSpace, and have expressed a lot of strong interest in coming and visiting, and maybe doing a talk for us. Whether they come up here, or I go down there next, I don't know. What I do know is that FALE and I have not seen the last of each other. Thanks John, Evan, Matt, Scott, and Adam! Oh, and thank you Schuyler for inspiring me to go in the first place!

Google and Safe(r) Browsing

So Google has announced a new tool. This tool, Safe Browsing Alerts seeks to notify ISPs of malicious web content hosted on their AS. I love to see things like this, and it gives me a little hope for the future. It is the proverbial step in the right direction to my line of thinking. The fight against malware needs to become more proactive.  However, I don't know how effective letting AS owners know will be.  The information really needs to go more towards hosting companies and the like. people with the ability to pull content.

Here is my brief, idealized, dream. We take the stop badware model and expand it. A strong coalition is created to proactively identify malicious content on the internet and stamp it out where possible. This coalition would include the major AV vendors (Kaspersky, F-Secure, TrendMicro,Symantec,Mcafee, Sophos, etc) and the major search engines Google, Microsoft, and Yahoo(does anyone really use yahoo anymore?). A crawler is designed to go out across the web and look for malicious content. I am envisioning two main branches of this:

1. As new exploits/payloads are discovered, the crawler searches for specific files or content that indicate the presence of the exploit or payload. Very google-hacking approach. This would be like looking for the windows RDP web connection by doing intitle:"Remote Desktop Web Connection" inurl:tsweb . This detection can be avoided fairly easily, but it will still quickly catch some of the low hanging fruit.
2. The actual crawler. This crawler goes out and actually analyses the content on the pages it crawls and looks for malicious content. This would be hard to do efficiently, I suspect, but could be done with proper resources.

So, assuming this dream comes true, what happens next? Well, a couple of things would happen at this point. The discovered malicious content would be cataloged. This would then be fed back to the participant  companies. It would go to the AV vendors to examine and create new definitions if needed. It would go to the search Providers to reflect in their own search engine results. Suddenly alongside your Google or Bing results, you see a warning "Potentially Dangerous Content Detected". This serves as a warning to the public, sort of a "caveat lector". Then, the coalition should attempt to notify appropriate parties. This could include AS owners,  hosting companies, and/or whois contact persons.

None of this of course 'solves' the problem. It is still up to individuals to do the right things. It is up to the user to not go to a site flagged as dangerous, and to have appropriate protection on their machine. It is up to the webmaster to make sure that their sites are not compromised, or hosting malicious content. What this could do, however, is raise visibility and awareness. It would give malware less places to lurk. Of course the bad guys will just move faster, finding new ways of hiding their stuff. It would be a start though. anyways, that's jsut my silly little dream. Who knows, maybe it will one day become a reality.

The Invisible War: March of the /b/tards

Here goes an attempt at starting a 'series'. The name 'Invisible War' may be reaching a bit, but sometimes it feels like it is appropriate. There are things developing on the internet that have very interesting ramifications. Perhaps I should say growing, instead of developing, as it seems a rather organic process. Today I would like to talk about the Internet Hate Machine that is 4chan.

For a very long time, the Internet has been growing these places. Usenet and IRC have always been bastions of trolls, flamers, and people you just don't want to get into it with. Offensive tactics often included various attack tools to carry out wars of annoyance against targets. I can very clearly remember the good ol days of IRC, full of skiddies with ICMP "nukers" and takeover scripts etc. As with everything else on the Internet, the Hate Machine grew and changed

4chan has become the penultimate embodiment of this writhing entity., thanks to /b/ . The denizens of 4chan /b/, known as /b/tards are an interesting and complicated 'group'. I user the term 'group' very loosely. /b/ is almost anarchy incarnate, and to assign any real structure to it, would be disingenuous. The /b/tards gave rise to Anonymous and all of the internet grief that particular group has caused. If you don't know, Anonymous is the group that carried out the campaign against the Church of Scientology. They launched site defacements, distributed videos that the church tried to suppress, and even organised real life protests outside of Church of Scientology facilities.  Anonymous began to demonstrate the true power of Internet Crowd sourcing.

Recently, the /b/tards have been on the move again. The news is abuzz with their attacks againsts the MPAA,RIAA, Aiplex Software, and BPI. This is allegedly in direct response to actions taken against the torrent hosting site thepiratebay.org. While not all of the attacks were successful, they have attracted a lot of notice. One has to wonder if that isn't the true aim. What would they accomplish, long term, by bringing down these servers. Even if they brought them down for more than a few hours, they would be brought back up, and actions would be taken to mitigate the attacks. They are not silencing their opposition, so maybe the goal is the opposite. To create a lot of noise. How many people knew about what Aiplex software was getting up to before, and how many know now? The same with ACS:Law? How much longer will the whole piracy issue stay in people's attention now because of these antics?

I do not know if this result was intended, or if the /b/tards are acting out of a much more visceral drive. Given that the average /b/tard is not amongst the highest forms of life on this planet, i would not ascribe much forethought to mot of their actions. /b/ is rather like a horde of rampaging orcs, but like orcs, once they get started they can be surprisingly effective. I find myself pondering the possability of a few dark sorcerers pulling the strings of this unruly horde.  I look at the 'call to arms' for some of these attacks and people start using crappy pe-built skiddie tools a lot of times, that probably have no chance of being truly effective against a serious target. However, if there were a few well hidden masterminds behind the scenes, we see a different picture.

Suppose you are a botherder or malicious hacker with a sinister agenda. You have decided that you can no longer stand the Foo Corp's policies, and want to take them down. You read the reports though, you know even botnets get tracked back to their owners a lot of the time. You need some way to keep the focus off of you. So you go crowd sourcing in /b/ . You whip the /b/tards into a frenzy and they pull out their toys and get ready. some of them undoubtedly know what they are actually doing, and that is even for the better. Now, you give them all a time and date, and everyone launches their attack. The IR Team at Foo Corp all of a sudden sees the deluge hitting their perimeter. While the firewalls and IPs are reflecting most of the useless crap that is being flung at them, you and a few of the more clever blokes, slip right past their perimeter.  Their IPS systems are already screaming at the top of their lungs, so who's to notice? You get in, do your damage, and get out. Meanwhile, the deluge continues. By the time it is all done, the folks at Foo Corp are going to have their hands full tracking back through the logs for quite a while. This means that the chances of anything being tracked back to you is greatly diminshed.

So are the denizens of /b/ the new secret cyber warriors? Is there a core cadre within Anonymous that is using the rest of the /b/ crew as little more than pawns? Are they guided by belief that they are in the right?  There seems to be evidence that at least some of them are waging an information war. They strike at powerful targets who manipulate the system to their advantage. Groups like the Church of Scientology, MPAA, BPI etc, get away with an awful lot, by turning the system to their advantage, and they sue considerable monetary resources and influence to ensure that they always have the advantage. So are groups like Anonymous just turning the tables a bit? Is this the beginnings of digital revolution? Or is it all just a bunch of angry adolescents with nothing better to do?

I don't have the answers to those questions. What I do know, is that this is a sign of things to come. The Internet is becoming more and more concrete. Impact on the net is having more and more tangible impact in the real world. As this trend increases, what is that going to do to the balance of power in our society, with groups like anonymous running around?

For more information on the recent attacks please read:
http://www.theregister.co.uk/2010/09/24/piracy_threat_lawyers_withstand_ddos/
http://www.theregister.co.uk/2010/09/20/4chan_ddos_mpaa_riaa/
http://www.sophos.com/blogs/chetw/g/2010/09/19/4chan-takes-mpaa-riaa-aiplex-wins/
http://torrentfreak.com/4chan-ddos-takes-down-mpaa-and-anti-piracy-websites-100918/

The CEPT Exam Practical

I finally received the word that I have passed my Certified Expert Penetration Tester(CEPT) certification exam. This was the best, and most enjoyable certification exam I have ever taken. There is a brief, and rather easy multiple-choice written exam. Then the real work begins. You are given 60 days to complete and submit a practical. This practical has three sections:

1. Write a working Windows stack overflow exploit for a piece of software they provide
2. Write a working remote stack overflow or a format string exploit for a piece of code they provide
3. Reverse engineer a win32 binary to bypass it's registration mechanism.

The first portion of this was surprisingly easy. The software they provide you is an actual piece of windows software. It is old though so it needs to be run in an appropriate environment. I don't recall if it was WinXP compat, but I did all mine in a win2k VM, which provided some interesting challenges in terms of having to go searching through libraries for some calls. Also, you have to get a little tricky because the initial space you have to work with is not large enough for any meaningful shellcode in of itself. However, this really presents little trouble if you know what you're doing. My Time to Completion: 8 hours

I am going to come back to #2 in a minute, instead let's talk about #3. This was by far the most exciting prospect. This is the kind of stuff that just makes you love your work. alas, the IACRB does not put up any real challenge with their supplied target binary. Some well placed breakpoints in softICE and the whole thing reads like a book. Chances are that when you make your first alteration to the binary and test it, you are going to feel really unsatisfied when you realize it's done and you've already won. They throw no tricks or protection schemes in to really trip you up. My Time to completion: 2 hours

So that brings us back to the Linux exploit. I don't know who wrote the c code that they provide you, but I can tell you this: He is a bastard. They tell you that you can do either the remote buffer overflow or the format string. So, not wanting all the various headaches that format string attacks can bring, I tried the stack overflow first. The vulnerable function in this case is not your standard simple buffer overflowable function. The buffers are both declared at the beginning of int main, and are then passed to the vulnerable function as pointers. This means that you can't overwrite the return pointer of the 'vulnerable function'. Instead you are overflowing towards int main's return pointer. In of itself, this is not a problem. The problem comes in the stack layout for int main. Between the vuln buffer and the saved return pointer is the declaration of a socket file descriptor. This file descriptor has a value of 7, or 0x00000007 . Do you see the problem here? The socket itself is essentially acting as a stack canary. Because what happens is the control loop won't exit until it has read specific input off the socket. so if we overflow the socket fd, it goes to eprform a recv() call on a file descriptor that does not exist, returning an error, which does NOT break the control loop. The result, we never get our terminator input read from the socket, but it will keep going back and trying to read from a socket that it doesn't know where it is anymore. We end up in an endless loop. There is surely someway to beat this scenario. I don't think the IACRB would make that a 'trick question', but I'll be damned if i could figure out how to bypass that bit of nastiness.

So, after lots and lots of wasted time looking at the stack, i moved on to trying the format string. I had some trouble here that was due to my own lack of familiarity with a certain mechanism they use. It is a common c mechanism, so I have little excuse, i just didn't know much about how it operated on the stack. Once I figured that out there were a few tricks I had to use because of the nature of the program itself. There is a lot of backwards-forward flip-flop thinking involved here, but if you can keep your data flow straight in your head you'll do fine. If not, do what i did, use a lot of sheets of scrap paper. At one point during this, i wrote down every variable and it's offset just so I could visually see where everything was on the stack at a glance. This is very important. You are going to want to become intimately aware of where everything is on the stack and how it got there, it will make your life easier. The final challenge was then taking the exploit and pulling it together into a single cohesive exploit with no manual processes. This was of course a job for Perl, and my favourite language performed admirably with just a tiny bit of help from C(I decided to quickly write a statically compiled binary to do one little piece for me. I didn't know how to dot hat part in perl, and so I just fudged it a little bit with C, sue me.) My time to completion: ~ 3 weeks!

All things considered, I found the CEPT Practical Exam to be one of the most worthwhile things I've done. It is by far the best, most relevant, and most rewarding certification I've ever gone after.

Finally, I have to thank Infosec Institute. I had some not so great things to say about the first half of their 2 week course. However, the second half of the course was very good. The instructor in the online videos seemed very competent, and was good at getting ideas across. The labs were, for the most part, well done. It did a fairly good job of preparing me for the CEPT cert, but certainly didn't give you all the answers in advance.  Also, the staff at Infosec Institute are great people and very helpful. There were a few complications that arose during the course of ordering, receiving and doing the training. Minh Nguyen and Steve Drabik over there could not have been more helpful in getting these issues sorted out. They were also very patient with the man who kept annoying them every other week ;) . i am already looking at their Expert Penetration Testing: Writing Windows Exploits and their Reverse Engineering classes for the future.  Although I am worried about repeating material, especially since Infosec Institute does come with a rather high price tag. 

My advice to anyone in the industry who is itnerested in developing these skills more, would be to take the "Advanced Ethical Hacking" course and  the CEPT cert. If nothing else, it will be fun.

Projects Worthy of Praise: Hackers Unite

It has been a while since i have last posted. I come to bring you news of two different projects. I am very excited about both of these. The first one is one I am actually involved in directly: A Hackerspace in Charlotte North Carolina. This idea sort of got kicked off by one of my coworkers, who started investigating it  after visiting Nullspace Labs in LA. He asked if I was interested, and soon after we began investigating potential spaces.

We had our first meetup last week, and to our surprise 25 people showed up to it. The reaction was astoundingly positive. We have a good assortment of software and hardware hackers. We have developers, pentesters, robotics people etc. Everyone there seemed genuinely committed to the idea. Our next meeting is tonight, although I am going to have to miss this one. So if you live in the greater Charlotte area and are interested in participating, please come check us out.

The other project I wanted to mention is being done by Schuyler Towne. He is attempting to start his own lockpick business, and has used kickstarter to try and raise initial funds. He had a goal of about $6,000, and has so far raised over $68,000. Depending on your donation level you will receive some absolutely fabulous prizes including custom lockpicks, practice locks, templates, and more. If you are at all interested in the sport or science of picking locks, do yourself a favour and get on board with this. It is an amazing deal, and people like this deserve community support anyways. There are only 71 hours left to get onboard as a backer!

Infosec Institute Advanced Ethical Hacking

A while ago I made a post about Infosec Institute's 10 Day Penetration Testing Course . I had some not so great things to say about the first half of the course. I think, in retrospect, the first week would be good for someone just starting out in the field to get their feet wet. There are some things I definitely think I would change, to bring it more in line with that concept, but it's hard for me to judge since I was already outside of that target audience. I have finally had the time to delve into the second week of the training course. This portion of the course focuses on the real meat and potatoes of penetration testing and exploiting. There is still some tool-centric material at the beginning, but the course jumps pretty quickly into the good stuff. It starts covering program memory structure, and how buffer overflows really work. Pretty soon you find yourself writing basic shellcode, and doing memory analysis to perform true exploits.

There are ties back to tools, but mostly in how they can make your life easier. Everything this part f the course covers is done manually before they show you how to use a tool. In my opinion, this is exactly what they should be doing. I do not have an assembly background so some of this is valuable information I have been missing so far. From buffer overflows it moves on to format strings and heap overflows. There are sections on on fuzzing, fault injection and more that I have not gotten to yet. I hope to be finishing up the course in the next few days.

There are some benefits to the online version of this course, such as being able to set your own pace. That being said, I think this particular course would be worth paying the extra money for the classroom experience. These are much more complicated topics than the first week, and if you don't already have experience in assembly and memory structure you may find yourself wanting to ask questions that you will have to answer all on your own. There is nothing wrong with this, of course, but I personally prefer active discussion to simply reading things online.

All in all, my impression of the second half of this training is very different from the first. Anyone who has experience with penetration testing, but wants to delve into the real heart of the subject should take a course like this.

Moving on and Moving Up

The inevitable has happened. I am leaving my current job, and moving on to a new company. I am very excited about this new opportunity. The company I am going to work for seems like a great place to work. However, this will be the first time my family has moved to a location where we don't know anybody. We will have no friends and no family there. This is the part of this field that isn't so great. Jobs tend to crop up in very specific places, and you have to be ready to pick up and move in order to not lose a great opportunity. It was a hard decision to sacrifice all the personal reasons to stay in favour of all the professional reasons to move. We have family, and friends here that we love very much. We like this area after being here only two years. My children will no longer be able to see their grandparents so often. However I will be moving to a larger, more mature company, in  a great area. The team I will be working with is full of very bright people who take this work very seriously. Even more importantly, the members of my new team know lots of things I don't. I will be working to learn a lot from them, and that is something I am eager to start doing.

Robert Khoo over at Penny Arcade said something in one of their tv episodes, that has stuck with me since. He told a potential employee "To be successful at something, to be like the best of breed at something, means you make sacrifices.I would say nine times out of ten, that means your social life, and that is how you get amazing at something." I think that this is extremely true. Nobody ever got to be the best at something by putting in the same amount of effort as everyone else. You get to be the best by putting in more effort than everyone else, and working as hard as you possibly can. I don't know if I can ever be the best at what I do, but I won't stop trying until I am. I have a long way to go before I can be the next RSnake, lcamtuf, or Tavis Ormandy. The best part of being in this field is that those very people I wish to be better than, will help me along the way. It may not be in a big way, but each of those three people have helped me grow already. Each of them have even taken the time to reply to emails and blogposts.  These are people who will honestly share ideas and knowledge. That, more than anything else, is what makes this field great. So look out guys, one day soon you may be reading a white paper with my name on it. In the meantime I just want to say thank you to all of you, as well as Mark Russinovich over at Microsoft, for taking time out of busy lives to answer a few stupid questions from somebody you've never heard of...yet.