Wednesday, 29 September 2010

Google and Safe(r) Browsing

So Google has announced a new tool. This tool, Safe Browsing Alerts seeks to notify ISPs of malicious web content hosted on their AS. I love to see things like this, and it gives me a little hope for the future. It is the proverbial step in the right direction to my line of thinking. The fight against malware needs to become more proactive.  However, I don't know how effective letting AS owners know will be.  The information really needs to go more towards hosting companies and the like. people with the ability to pull content.

Here is my brief, idealized, dream. We take the stop badware model and expand it. A strong coalition is created to proactively identify malicious content on the internet and stamp it out where possible. This coalition would include the major AV vendors (Kaspersky, F-Secure, TrendMicro,Symantec,Mcafee, Sophos, etc) and the major search engines Google, Microsoft, and Yahoo(does anyone really use yahoo anymore?). A crawler is designed to go out across the web and look for malicious content. I am envisioning two main branches of this:


  1. As new exploits/payloads are discovered, the crawler searches for specific files or content that indicate the presence of the exploit or payload. Very google-hacking approach. This would be like looking for the windows RDP web connection by doing intitle:"Remote Desktop Web Connection" inurl:tsweb . This detection can be avoided fairly easily, but it will still quickly catch some of the low hanging fruit.
  2. The actual crawler. This crawler goes out and actually analyses the content on the pages it crawls and looks for malicious content. This would be hard to do efficiently, I suspect, but could be done with proper resources.
So, assuming this dream comes true, what happens next? Well, a couple of things would happen at this point. The discovered malicious content would be cataloged. This would then be fed back to the participant  companies. It would go to the AV vendors to examine and create new definitions if needed. It would go to the search Providers to reflect in their own search engine results. Suddenly alongside your Google or Bing results, you see a warning "Potentially Dangerous Content Detected". This serves as a warning to the public, sort of a "caveat lector". Then, the coalition should attempt to notify appropriate parties. This could include AS owners,  hosting companies, and/or whois contact persons.

None of this of course 'solves' the problem. It is still up to individuals to do the right things. It is up to the user to not go to a site flagged as dangerous, and to have appropriate protection on their machine. It is up to the webmaster to make sure that their sites are not compromised, or hosting malicious content. What this could do, however, is raise visibility and awareness. It would give malware less places to lurk. Of course the bad guys will just move faster, finding new ways of hiding their stuff. It would be a start though. anyways, that's jsut my silly little dream. Who knows, maybe it will one day become a reality.

Friday, 24 September 2010

The Invisible War: March of the /b/tards

Here goes an attempt at starting a 'series'. The name 'Invisible War' may be reaching a bit, but sometimes it feels like it is appropriate. There are things developing on the internet that have very interesting ramifications. Perhaps I should say growing, instead of developing, as it seems a rather organic process. Today I would like to talk about the Internet Hate Machine that is 4chan.

For a very long time, the Internet has been growing these places. Usenet and IRC have always been bastions of trolls, flamers, and people you just don't want to get into it with. Offensive tactics often included various attack tools to carry out wars of annoyance against targets. I can very clearly remember the good ol days of IRC, full of skiddies with ICMP "nukers" and takeover scripts etc. As with everything else on the Internet, the Hate Machine grew and changed

4chan has become the penultimate embodiment of this writhing entity., thanks to /b/ . The denizens of 4chan /b/, known as /b/tards are an interesting and complicated 'group'. I user the term 'group' very loosely. /b/ is almost anarchy incarnate, and to assign any real structure to it, would be disingenuous. The /b/tards gave rise to Anonymous and all of the internet grief that particular group has caused. If you don't know, Anonymous is the group that carried out the campaign against the Church of Scientology. They launched site defacements, distributed videos that the church tried to suppress, and even organised real life protests outside of Church of Scientology facilities.  Anonymous began to demonstrate the true power of Internet Crowd sourcing.

Recently, the /b/tards have been on the move again. The news is abuzz with their attacks againsts the MPAA,RIAA, Aiplex Software, and BPI. This is allegedly in direct response to actions taken against the torrent hosting site thepiratebay.org. While not all of the attacks were successful, they have attracted a lot of notice. One has to wonder if that isn't the true aim. What would they accomplish, long term, by bringing down these servers. Even if they brought them down for more than a few hours, they would be brought back up, and actions would be taken to mitigate the attacks. They are not silencing their opposition, so maybe the goal is the opposite. To create a lot of noise. How many people knew about what Aiplex software was getting up to before, and how many know now? The same with ACS:Law? How much longer will the whole piracy issue stay in people's attention now because of these antics?

I do not know if this result was intended, or if the /b/tards are acting out of a much more visceral drive. Given that the average /b/tard is not amongst the highest forms of life on this planet, i would not ascribe much forethought to mot of their actions. /b/ is rather like a horde of rampaging orcs, but like orcs, once they get started they can be surprisingly effective. I find myself pondering the possability of a few dark sorcerers pulling the strings of this unruly horde.  I look at the 'call to arms' for some of these attacks and people start using crappy pe-built skiddie tools a lot of times, that probably have no chance of being truly effective against a serious target. However, if there were a few well hidden masterminds behind the scenes, we see a different picture.

Suppose you are a botherder or malicious hacker with a sinister agenda. You have decided that you can no longer stand the Foo Corp's policies, and want to take them down. You read the reports though, you know even botnets get tracked back to their owners a lot of the time. You need some way to keep the focus off of you. So you go crowd sourcing in /b/ . You whip the /b/tards into a frenzy and they pull out their toys and get ready. some of them undoubtedly know what they are actually doing, and that is even for the better. Now, you give them all a time and date, and everyone launches their attack. The IR Team at Foo Corp all of a sudden sees the deluge hitting their perimeter. While the firewalls and IPs are reflecting most of the useless crap that is being flung at them, you and a few of the more clever blokes, slip right past their perimeter.  Their IPS systems are already screaming at the top of their lungs, so who's to notice? You get in, do your damage, and get out. Meanwhile, the deluge continues. By the time it is all done, the folks at Foo Corp are going to have their hands full tracking back through the logs for quite a while. This means that the chances of anything being tracked back to you is greatly diminshed.

So are the denizens of /b/ the new secret cyber warriors? Is there a core cadre within Anonymous that is using the rest of the /b/ crew as little more than pawns? Are they guided by belief that they are in the right?  There seems to be evidence that at least some of them are waging an information war. They strike at powerful targets who manipulate the system to their advantage. Groups like the Church of Scientology, MPAA, BPI etc, get away with an awful lot, by turning the system to their advantage, and they sue considerable monetary resources and influence to ensure that they always have the advantage. So are groups like Anonymous just turning the tables a bit? Is this the beginnings of digital revolution? Or is it all just a bunch of angry adolescents with nothing better to do?

I don't have the answers to those questions. What I do know, is that this is a sign of things to come. The Internet is becoming more and more concrete. Impact on the net is having more and more tangible impact in the real world. As this trend increases, what is that going to do to the balance of power in our society, with groups like anonymous running around?

For more information on the recent attacks please read:
http://www.theregister.co.uk/2010/09/24/piracy_threat_lawyers_withstand_ddos/
http://www.theregister.co.uk/2010/09/20/4chan_ddos_mpaa_riaa/
http://www.sophos.com/blogs/chetw/g/2010/09/19/4chan-takes-mpaa-riaa-aiplex-wins/
http://torrentfreak.com/4chan-ddos-takes-down-mpaa-and-anti-piracy-websites-100918/

Wednesday, 22 September 2010

The CEPT Exam Practical

I finally received the word that I have passed my Certified Expert Penetration Tester(CEPT) certification exam. This was the best, and most enjoyable certification exam I have ever taken. There is a brief, and rather easy multiple-choice written exam. Then the real work begins. You are given 60 days to complete and submit a practical. This practical has three sections:
  1. Write a working Windows stack overflow exploit for a piece of software they provide
  2. Write a working remote stack overflow or a format string exploit for a piece of code they provide
  3. Reverse engineer a win32 binary to bypass it's registration mechanism.
The first portion of this was surprisingly easy. The software they provide you is an actual piece of windows software. It is old though so it needs to be run in an appropriate environment. I don't recall if it was WinXP compat, but I did all mine in a win2k VM, which provided some interesting challenges in terms of having to go searching through libraries for some calls. Also, you have to get a little tricky because the initial space you have to work with is not large enough for any meaningful shellcode in of itself. However, this really presents little trouble if you know what you're doing. My Time to Completion: 8 hours

I am going to come back to #2 in a minute, instead let's talk about #3. This was by far the most exciting prospect. This is the kind of stuff that just makes you love your work. alas, the IACRB does not put up any real challenge with their supplied target binary. Some well placed breakpoints in softICE and the whole thing reads like a book. Chances are that when you make your first alteration to the binary and test it, you are going to feel really unsatisfied when you realize it's done and you've already won. They throw no tricks or protection schemes in to really trip you up. My Time to completion: 2 hours

So that brings us back to the Linux exploit. I don't know who wrote the c code that they provide you, but I can tell you this: He is a bastard. They tell you that you can do either the remote buffer overflow or the format string. So, not wanting all the various headaches that format string attacks can bring, I tried the stack overflow first. The vulnerable function in this case is not your standard simple buffer overflowable function. The buffers are both declared at the beginning of int main, and are then passed to the vulnerable function as pointers. This means that you can't overwrite the return pointer of the 'vulnerable function'. Instead you are overflowing towards int main's return pointer. In of itself, this is not a problem. The problem comes in the stack layout for int main. Between the vuln buffer and the saved return pointer is the declaration of a socket file descriptor. This file descriptor has a value of 7, or 0x00000007 . Do you see the problem here? The socket itself is essentially acting as a stack canary. Because what happens is the control loop won't exit until it has read specific input off the socket. so if we overflow the socket fd, it goes to eprform a recv() call on a file descriptor that does not exist, returning an error, which does NOT break the control loop. The result, we never get our terminator input read from the socket, but it will keep going back and trying to read from a socket that it doesn't know where it is anymore. We end up in an endless loop. There is surely someway to beat this scenario. I don't think the IACRB would make that a 'trick question', but I'll be damned if i could figure out how to bypass that bit of nastiness.

So, after lots and lots of wasted time looking at the stack, i moved on to trying the format string. I had some trouble here that was due to my own lack of familiarity with a certain mechanism they use. It is a common c mechanism, so I have little excuse, i just didn't know much about how it operated on the stack. Once I figured that out there were a few tricks I had to use because of the nature of the program itself. There is a lot of backwards-forward flip-flop thinking involved here, but if you can keep your data flow straight in your head you'll do fine. If not, do what i did, use a lot of sheets of scrap paper. At one point during this, i wrote down every variable and it's offset just so I could visually see where everything was on the stack at a glance. This is very important. You are going to want to become intimately aware of where everything is on the stack and how it got there, it will make your life easier. The final challenge was then taking the exploit and pulling it together into a single cohesive exploit with no manual processes. This was of course a job for Perl, and my favourite language performed admirably with just a tiny bit of help from C(I decided to quickly write a statically compiled binary to do one little piece for me. I didn't know how to dot hat part in perl, and so I just fudged it a little bit with C, sue me.) My time to completion: ~ 3 weeks!

All things considered, I found the CEPT Practical Exam to be one of the most worthwhile things I've done. It is by far the best, most relevant, and most rewarding certification I've ever gone after.

Finally, I have to thank Infosec Institute. I had some not so great things to say about the first half of their 2 week course. However, the second half of the course was very good. The instructor in the online videos seemed very competent, and was good at getting ideas across. The labs were, for the most part, well done. It did a fairly good job of preparing me for the CEPT cert, but certainly didn't give you all the answers in advance.  Also, the staff at Infosec Institute are great people and very helpful. There were a few complications that arose during the course of ordering, receiving and doing the training. Minh Nguyen and Steve Drabik over there could not have been more helpful in getting these issues sorted out. They were also very patient with the man who kept annoying them every other week ;) . i am already looking at their Expert Penetration Testing: Writing Windows Exploits and their Reverse Engineering classes for the future.  Although I am worried about repeating material, especially since Infosec Institute does come with a rather high price tag. 

My advice to anyone in the industry who is itnerested in developing these skills more, would be to take the "Advanced Ethical Hacking" course and  the CEPT cert. If nothing else, it will be fun.

Tuesday, 21 September 2010

Projects Worthy of Praise: Hackers Unite

It has been a while since i have last posted. I come to bring you news of two different projects. I am very excited about both of these. The first one is one I am actually involved in directly: A Hackerspace in Charlotte North Carolina. This idea sort of got kicked off by one of my coworkers, who started investigating it  after visiting Nullspace Labs in LA. He asked if I was interested, and soon after we began investigating potential spaces.

We had our first meetup last week, and to our surprise 25 people showed up to it. The reaction was astoundingly positive. We have a good assortment of software and hardware hackers. We have developers, pentesters, robotics people etc. Everyone there seemed genuinely committed to the idea. Our next meeting is tonight, although I am going to have to miss this one. So if you live in the greater Charlotte area and are interested in participating, please come check us out.

The other project I wanted to mention is being done by Schuyler Towne. He is attempting to start his own lockpick business, and has used kickstarter to try and raise initial funds. He had a goal of about $6,000, and has so far raised over $68,000. Depending on your donation level you will receive some absolutely fabulous prizes including custom lockpicks, practice locks, templates, and more. If you are at all interested in the sport or science of picking locks, do yourself a favour and get on board with this. It is an amazing deal, and people like this deserve community support anyways. There are only 71 hours left to get onboard as a backer!