Security Thread

[Triple Zero]

cause me and Rat and Cain and some others post security/hacking/social engineering/etc related articles up for discussion every now and then, I thought maybe I create a special thread for them.
anyone who wants to share a security-related article/topic, feel free to post at least title, link and short summary/blurb/first paragraph. also feel free to jack the thread as far as you like, it'll get back on topic when a new article gets posted.
remember, security is not just about technology or hacking or encryption, but also physical security such as lockpicking or social engineering.

What are some good sites for security news?

Some Top (IMO) security blogs

http://www.schneier.com/blog/
http://www.wired.com/threatlevel/
http://www.lightbluetouchpaper.org/ (Security Research, Computer Laboratory, University of Cambridge--interesting projects)
http://asert.arbornetworks.com/


Tangentially security related (privacy, electronic freedom, etc)
http://www.freedom-to-tinker.com/
http://www.eff.org/deeplinks/archive
https://www.bof.nl/ (the Dutch EFF. if you can read Dutch, must-read, even if you don't live there. also a damn slick custom WordPress skin)

Misc
http://neworder.box.sk/
http://ha.ckers.org/ (used to be one of cutting edge in webappsec, but is rarely updated these days)
http://sla.ckers.org/forum/list.php?13 (the "News and Links" subforum of ha.ckers.org, dunno how good it is, but the community is reasonably active)





(original first post)

I'll start with

Stoned Bootkit pwns TrueCrypt Full-Volume
http://www.stoned-vienna.com/

Stoned Bootkit is a new Windows bootkit which attacks all Windows versions from XP up to 7. It is loaded before Windows starts and is memory resident up to the Windows kernel. Thus Stoned gains access to the entire system. It has exciting features like integrated file system drivers, automatic Windows pwning, plugins, boot applications and much much more. The project is partly published as open source under the European Union Public License. Like in 1987, "Your PC is now Stoned! ..again".

TrueCrypt Attack

Stoned is able to bypass the full volume encryption of TrueCrypt. It allows installing a trojan to a computer that's hard disk is full encrypted. Let's take a look at the technical part. For TrueCrypt encryption there are two scenarios:
Only the system partition is encrypted; the master boot record, unpartitioned space and the host protected area stay undecrypted
Full volume encryption, only the master boot record stays unencrypted

The trick is that the master boot record is never encrypted - and thus can be safely overwritten and used for our own boot 'software'. For the first case additional data such as plugins, the original master boot record backup or further code can be stored to unpartitioned space. For the second case the whole Windows attacking code must fit into the master boot record, into the 63 sectors minus the decryption software. TrueCrypt has free 7 sectors where Stoned Bootkit still fits, so even full volume encryption is no problem.

My personal notebook has the system partition encrypted with TrueCrypt. I showed at Black Hat USA 2009 live that Stoned Bootkit was able to bypass that and could pwn my own system.

[Cain]

What are some good sites for security news?  I only ever read Schneier, Wired's Threat Level and ha.ckers.org/

[Cain]

And on that note....THIS is why I've had to ban so many goddamn spambots of late:

McAfee warns Spam, Trojans and Spybots are rocketing

http://www.wired.com/threatlevel/2009/07/mcafee-spam-trojans-and-botnets-skyrocketing/

Zombie penetration set a record for the second straight quarter this year. Spam jumped 80 percent from the previous period, which made it a record 92 percent of all e-mail, according to the McAfee Threats Report released Wednesday.

"If the economy could rebound as spam has done in (the) second quarter, we would all be much happier with our retirement accounts. Spam has surged since the prior quarter, increasing nearly 80 percent. Last year's spam fell drastically from previous quarters, in large part due to the shutdown of the McColo ISP," the report said.

The report also warned of emerging threats of auto-run malware to increased botnets. Password-pilfering trojans are proliferating and expected to double this year from the prior year.

Researchers also warned of increasing malicious attacks on social-networking sites like Twitter, where URLs often are condensed. "The caution that users usually apply when they view search results and news links disappears behind the obfuscating address," the report notes.

------------------------

The article itself has some nice graphs and a link to the full report

[Triple Zero]

but I think the spam that is on the rise due to botnets and such, is email-spam, not forum-spambots.

you really need botnets for mass spam emailing, because no proper email server relays that shit anymore.

but for forum-spamming you just need fresh proxies. these fresh proxies probably also come from botnets, but they are not the limiting factor. I'd guess in this case it is the amount of CAPTCHAs you can crack, or admins you can feel into letting spambots in.

this is a bit of speculation on my side, so anyone correct me if they think I'm wrong. but the technology behind email spam is quite different than forum spam, even though the shit that is advertized is largely the same.

as for security sites/news, Schneier and ha.ckers would be the first ones I'd recommend as well. I dont happen to read Wired's Threat Level, unless I come across a link to it somewhere.
I get interesting security-related links via Twitter from various sources. One new thing I found through there, when looking up some stuff about the Iran DPI stuff is the Arbor security blog: http://asert.arbornetworks.com/ it had some good info not found elsewhere on traffic analysis before and during the Iran elections. It might be of particular interest to you, Cain, since the topics are less about the latest exploit in browser plugin X, but a bit more about the IR side of things. If you like podcasts, also check that section, there's some interesting titles there (but haven't listened myself).

[Cain]

OK then.  I'll take your speculation as likely, for now, since I know even less.  However, my general thinking is that if email spam is on the rise, then it suggests the people behind it are able to do more, and so may also have more resources to also devote to forum spam.

Anyway, thanks for the link.

[Requia ☣]

Stoned isn't a terribly interesting attack.  Its just a logger on the system.  You still have to enter your password at least once after its installed for it to be useful.

Truecrypt still works perfectly for its purpose, which is keeping your data inaccessible without your password.  And a hardware keylogger was always able to do this if you gave someone physical access to your machine and then got it back.  (actually the keylogger is the bigger risk, since if you send a notebook in for hardware repairs its normal to keep the hard drive to avoid damage in shipping/idiots at the repair sweatshop wiping your data).

[Triple Zero]

Agreed with all that, except for "Stoned isn't a terribly interesting attack." cause the way it does it is interesting IMO.

[Triple Zero]

this is what the Deep Packet Inspection threat can do

http://asert.arbornetworks.com/2009/08/return-to-the-iranian-firewall/

Return to the Iranian Firewall
by Craig Labovitz

It has been 40 days since the start of protests in Iran.

And a lot has changed since my last blog post on the Iranian national firewall. Hundreds of Iranians are imprisoned or dead. And where the Iranian government firewall may have failed, oppression and fear have succeeded (at least for now). The infectious global anticipation of an Iranian velvet revolution is gone. Mass trials of reformists begin this week.

And the great Iranian firewall? Still in place and perhaps now operating with renewed efficiency.

http://asert.arbornetworks.com/2009/08/return-to-the-iranian-firewall/

[Triple Zero]

maybe this should be in aneristic delusions ...

http://www.nytimes.com/2009/08/02/us/politics/02cyber.html?pagewanted=print

Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk
By JOHN MARKOFF and THOM SHANKER

It would have been the most far-reaching case of computer sabotage in history. In 2003, the Pentagon and American intelligence agencies made plans for a cyberattack to freeze billions of dollars in the bank accounts of Saddam Hussein and cripple his government’s financial system before the United States invaded Iraq. He would have no money for war supplies. No money to pay troops.

“We knew we could pull it off — we had the tools,” said one senior official who worked at the Pentagon when the highly classified plan was developed.

But the attack never got the green light. Bush administration officials worried that the effects would not be limited to Iraq but would instead create worldwide financial havoc, spreading across the Middle East to Europe and perhaps to the United States.

http://www.nytimes.com/2009/08/02/us/politics/02cyber.html?pagewanted=print

[Requia ☣]

this is what the Deep Packet Inspection threat can do

http://asert.arbornetworks.com/2009/08/return-to-the-iranian-firewall/

Return to the Iranian Firewall
by Craig Labovitz

It has been 40 days since the start of protests in Iran.

And a lot has changed since my last blog post on the Iranian national firewall. Hundreds of Iranians are imprisoned or dead. And where the Iranian government firewall may have failed, oppression and fear have succeeded (at least for now). The infectious global anticipation of an Iranian velvet revolution is gone. Mass trials of reformists begin this week.

And the great Iranian firewall? Still in place and perhaps now operating with renewed efficiency.

http://asert.arbornetworks.com/2009/08/return-to-the-iranian-firewall/

Iran doesn't have DPI capability from what I've seen, which is why they blocked all access to text messaging and sites instead of just targeting dissident messages.

[Triple Zero]

Great Firewall, DPI, the distinction is not really important for the point of this article.

[Triple Zero]

Some Researchers Lack Basic Ethics
By Roel Schouwenberg

Some students at a Michigan university set up a server where people can upload (detected) viruses, and then the server would try many different "packers" on the code of these viruses.
A "packer" is a tool that modifies the code of a program, making it smaller using a ZIP-like algorithm and an integrated unpacker.
Packers are mainly used to reduce executable-size, as employed by mainstream software such as Opera and uTorrent, among others.
Apart from being useful to make executabels smaller, it also changes the code, hiding the "signature" that an anti-virus program looks for in order to detect the virus.

What this service did was apply different packers in different combinations (since the input and the output of such a packer are both executables, you can "chain" them and feed one to the other), and check how many virus scanners were still able to detect the virus.

It turns out that in most cases, a single pass by an opensource packer called UPX was enough to foil antivirus software. UPX is a packer we used to use back in my demoscene days, before 2000, in order to fit more cool shit into the "see how much cool graphics and sound you can fit into 64 kilobyte" competitions. That's 10 years ago.

Mr Roel Schouwenberg, an employee of Kapersky, a signature-based antivirus software company, thinks that the research done by these students was highly unethical.

Personally, I think antivirus software companies are a bunch of snake-oil salesmen, that sell false security which can be foiled by 10 year old software tools. And no I don't know what the safe answer is here, except that I'll be switching back to Linux soon :-P

http://threatpost.com/blogs/some-researchers-lack-basic-ethics#comment-14427588

[Requia ☣]

Kaspersky is hardly just signature based.  In fact I don't know any major vendor without at least some level of heuristic detection.  Even AVG finally got it.

[Triple Zero]

Requia, I notice that every time I post about something security related article, you feel you need to downplay it in some way, usually missing the point entirely. Why is this?

Also in this case, again, missing the point. The fact remains that a single pass with publically available packers can and do foil most antivirus software (including Kapersky, who are now screaming about ethics).

Adding to that, what are "heuristics" by the way? I know a lot of antivirus software claims "heuristics", but what does it do exactly? And does using "heuristics" mean they do not use signature-based detection?

Some antivirus software claim they use "heuristics" so they can detect unknown viruses before their signatures are downloaded from the signature database update. If that's what heuristics means, it's completely unrelated to this research, since the research is about hiding known viruses. In which it seems to succeed, heuristics or no.

In my mind, I always thought of heuristics as the antivirus software scanning in some sense the "intention" of the code, that a heuristic virus scanner would somehow look for "code that exploits the host and copies and/or infects other computers or files and/or listens to a C&C server for botnet commands" (or something like that), regardless of the exact code instructions used to implement this behaviour. The problem however, is that this is, like the Halting Problem, an undecidable problem, which in practice means that it is computationally intractable to make even a reasonable attempt, and conversely, given a reasonable attempt, it is trivial to foil it (as the research shows).

...

okay right, I just looked up heuristic based virus scanning on wikipedia:

http://en.wikipedia.org/wiki/Antivirus_software#Heuristics

read it. the paragraphs are about what I described above, as you can see it is riddled with tags, which I can only assume that it is because these techniques are only theoretical and  not implemented, what anti virus programs would *like* to be able to do, except none of them actually do it (because it is pretty fucking hard to do and trivially easy to foil).

after that comes a bit about generic signatures. which is about detecting slight variants of known viruses (calling this "mutation" is going a littlebit too far with the biological analogy IMO).

so, finally we read that what anti virus software calls "heuristics" is nothing more than signatures with wildcards.

sorry but WTF. I always assumed the signatures already contained wildcards and that the detection they call "heuristics" would at least be slightly smarter than that (even if I dont know how).

but yeah, no wonder that a simple packer foils even heuristic-based anti virus software, it completely changes all the bytes of the code, so no wildcard is going to catch that.

also, UPX (or perhaps it was another widely used packer) allows you to set a special "key" with the packing algorithm, since it's shuffling bits around during the unpacking stage anyway, it's easy to XOR the stream with a key as well, thereby obfuscating the bytes of the code in an arbitrary fashion.
unless the antivirus software specifically detects UPX packed code, and then unpacks it (it cannot just block UPX packed code, because lots of legit software uses it), and then checks for the signature, this is impossible to catch. of course, the antivirus software needs to do this for every code packer that is publically available.

it's pretty much a losing battle if you fight it that way.

[Faust]

Um If I'm not mistaken the heuristic approach is statistical accumulation of of computer processes to watch for abnormal behavior  (not just copying itself or hiding itself but also for making connections to remote machines at set intervals of time).
Some of it is pretty impressive, the college statistical analysis showed how one lecturers computer was being logged into every day despite the college being closed on sundays and from that they found that it had been compromised.