White Hat Hacker

In the past year (or so) Microsoft has released four free security tools to improve application security.

The following clips are from the announcements on www.theregister.co.uk and links from searching MSDN.

2008-09-16 The first initiative is the release of the Microsoft SDL Threat Modeling Tool. The software is designed to streamline the development of secure applications by helping teams track and mitigate security and privacy flaws that are likely to affect specific types of applications. The idea is to streamline secure coding by giving guidance in drawing threat diagrams, analysis of threats and mitigations and integrating with an organization's bug tracking systems.

SDL Threat Modeling Tool 3.1
http://www.microsoft.com/downloads/details.aspx?familyid=A48CCCB1-814B-47B6-9D17-1E273F65AE19&displaylang=en

2009-03-20 The release of !exploitable, which was announced at the CanSecWest security conference in Vancouver, British Columbia, is a continuation of that effort. It's a Windows debugger extension that's used during fuzz testing, when testers test the stability and security of an application by throwing unexpected data at it. It's expected to be available soon at this linkas an open-source program on CodePlex.

!exploitable Crash Analyzer - MSEC Debugger Extensions
http://msecdbg.codeplex.com/

2009-09-16 Microsoft Minifuzz is a lightweight file fuzzer, a type of tool that detects software bugs by throwing random data at an application. Under Redmond's Secure Development Lifecycle (SDL), all code under development must be extensively fuzzed so buffer overflows and other common flaws can be identified before it goes into production.

MiniFuzz File Fuzzer
http://www.microsoft.com/downloads/details.aspx?FamilyID=b2307ca4-638f-4641-9946-dc0a5abe8513&displayLang=en

2009-10-27 EMET, short for Enhanced Mitigation Evaluation Toolkit, allows developers and administrators to add specific security protections to applications. Unlike mitigations released in the past, EMET doesn't require programs to be recompiled, so it can be used to fortify applications even when the source code isn't available.

Enhanced Mitigation Evaluation Toolkit (EMET)
http://go.microsoft.com/fwlink/?LinkID=162309

We all test stuff. Sometimes we'd like to share the test environment, but that becomes complicated because of software license issues. For example, some general instructions on setting up a simple fault testing framework that anyone inside the company can use as a starting point for their project. You can't post your own XP image and you can't expect everyone to have their own MSDN subscription.

The solution is the FDCC images from (http://nvd.nist.gov/fdcc/download_fdcc.cfm). As part of the Federal Desktop Core Configuration, Microsoft provides periodic updates to images and posts them on the FDCC site. The most recent set is from Q1 of 2009, but they work.

First download the multi-part zip file of XP or Vista. These must be opened in WinZip, not pkzip, or gzip, or anything else I tried on Mac OS X.

Next, download the free Microsoft Virtual PC 2004 SP1 or 2007 SP1. You'll need this because the zip archive contains a single VHD file that will only work with Virtual PC. I don't have a link for the download, but start at http://msdn.microsoft.com and search for Virtual PC.

NOTE: Yes, I did try using the vmware-vdiskmanager to convert the VHD image to a vmdk image. But I could not create an IDE disk. And using the SCSI disk image XP will blue screen before getting to the logon screen. Trying to fake the import utility didn't work either. So I fell back on creating a VPC image, then running the converter.

Install and run Virtual PC. Create a new image accepting all the defaults, but using the VHD file for the hard disk. You should be able to start this and log onto the FDCC image. The username and password are provided in the FAQs on the FDCC site, but for the impatient use Renamed_Admin and P@ssw0rd123456.

Now download and install the free VMware Converter. Again, no link. Go to http://www.vmware.com and search. You'll need to register, get the email, follow the link. Using this utility convert your Virtual PC image to a VMware image suitable for your next free download, the VMware Player.

Finally, install and run VMware Player. Open the .vmx file of your converted image. All should be well.

For extra credit, manually edit the VMware image to add a serial port by following the instructions on the VMware community help pages at (http://communities.vmware.com/message/1380528#1380528) or reading through (http://sanbarrow.com/vmx.html). Now you can run Windows Debugger (WinDbg) in one virtual machine or on the host, while attaching to a target virtual machine for kernel debugging.

After all this effort you'll have a Windows XP or Vista virtual machine which you can pass along to your team, your colleagues, your friends without breaking the rules or risking the loss of your MSDN license.

I've just gone through this exercise and can attest that it works. Or at least it did today.

"Dragon Bytes - Chinese Information-War Theory and Practice" by Timothy L. Thomas.

The hardest part of this book is finding a copy. It was published by the Government Printing Office for the Foreign Military Studies Office (FMSO) at Ft Leavenworth in 2004. Fortunately two people in my business network came up with personal copies to lend. Not sure what that says about my circle of associates.

I'm drawn to the main theme of this work - that a far different culture (such as the Chinese) would not only develop a far different perspective on IW (we expected that), but that this will require us to change our perspective as a counter measure. The book doesn't make suggestions on what changes the West should make.

The perspective of Chinese IW reflects their 36 Stratagems, Mao's thoughts on war, a focus on control, and "People's War". The emphasis is on protecting their own network while controlling the adversary. They don't focus as much on destruction or direct action, recognizing that influence by any means may be more effective.

It's not clear how to measure effectiveness at the tactical level. At the strategic level it would be the achievement of their goals. But to gauge the effect of a single operation or campaign by this perspective must be hard.

An interesting article (http://www.theregister.co.uk/2009/04/24/most_dangerous_exploits/) by Dan Goodin who attended a standing-room panel by Ed Skoudis (InGuardians) and Johannes Ullrich (SANS Institute) at the RSA Conference (https://365.rsaconference.com).
 
While Dan did not post a full list, he mentions the following:
 
Super-flexible Pivoting: Compromising a DMZ system, then launching attacks into the corporate network.
 
Pass the Hash: Stealing a user's cryptographic hash then penetrating Windows servers. This is aided by examples of this attack from Core Security (http://oss.coresecurity.com/projects/pshtoolkit.htm), JoMo-kun (http://www.foofus.net/jmk/passhash.html) or modules in Nessus and MetaSploit.
 
Wireless attacks: Such as compromising a client machine, then launching attacks into the corporate network.
 
Problems with SSL: They mention use of non-SSL login pages, methods of spoofing SSL sessions, but also "SSL's focus on failed connections rather than those that are successful". Not sure what to make of that - the lack of robust audit features?
 
VoIP systems: Ullrich stated scans of port 5060 are up significantly compared to last year, some 5,000 scans per day.
 
And the quote to take away, by Ed Skoudis: "I believe that a determined but no necessarily well-funded attacker can pretty much break into any organization. If you think it's less than 50 percent, I think you need to look a little more carefully."
 
The focus was on corporate networks, so it would be interesting to hear a similar panel on client systems.
 
The panel appears to have been session HT1-303, titled "The Seven Most Dangerous New Attack Techniques, and What's Coming Next", which was held Thursday, April 23rd 2009. Dan's article does not mention Rohit Dhamankar (TippintPoint) who was also on the panel, or Alan Paller (SANS Institute) who moderated.

Summary: "With all these tools in your arsenal, reverse engineering Cocoa executables is actually very simple. In fact, it's a good deal more straightforward than most Windows executables."
 
The tools are IDA Pro, class-dump, class-dump-x, otx, and his own utility which it doesn't look like he's released. I guess you need to keep a discriminator proprietary.
 
IDA Pro: http://www.hex-rays.com
 
Class-Dump: http://homepage.mac.com/nygard/Projects/index.html
class-dump-x: Just search online, and you'll find it.
Read more about class-dump at http://www.cocoadev.com/index.pl?ClassDump
 
otx: http://otx.osxninja.com/
 
Bundled with OS X: lipo, ditto, otool
 
This article is at http://www.theregister.co.uk/2009/03/17/mac_secrets_reverse_engineering/print.html
 
He's written several other article about reverse engineering or undocumented components at the same site.

Today I heard Dan Geer (http://en.wikipedia.org/wiki/Dan_Geer) speak at a conference.
 
I won't restate his talk as it should be released soon, but I found several of his comments interesting.
 
He observed that computer security is a renaissance field that draws on a great diversity of skills and backgrounds. He also observed it has a high rate of change, also like the Renaissance.
 
The first challenge of any research is to get the problem statement right. If you don't you'll only develop a solution in search of a problem and there are already too many security products like that. The other challenge is that the problem statement needs to remain stable.
 
The purpose of risk management is to improve our odds of future success, not explain the past.
 
Our adversaries are not random accidents and alpha particles, they are sentient.
 
In security considerations cost benefit analysis must fail because you can't price security. But cost effectiveness is relevant.
 
And the comment that caught me off guard, especially given my embedded software experience (which I'll be the first to caution is both limited and dated) was that embedded systems should either have no remote management interface or should be able to refuse a command. And they should come with a termination date (not his term but mine) so they stop working at a pre-determined point in the future rather than keep on working until they fail.
 
He lead up to his conclusion with other arguments and I'm inclined to say he got this one right. Think of all the embedded systems that are designed around programmable logic. If they connect to the internet, or come with a port, they should be capable of an update because there will be faults or new features. But they should also be able to refuse these updates so any attack against them is harder. Of course the implementation of something like this is hard. And hard means both more expensive and longer development cycles -- so it's not likely to be done right. Better to just make them single use or time-limited. So any attack will have limited cost effectiveness because the device will brick itself soon.

The Electronic Freedom Foundation (EFF) created a site (https://ssd.eff.org/) discussing the various ways the US government can obtain information about you and how to limit this. They state their objective is to "educate the American public about the law and technology of government surveillance" and to provide "the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it."
 
The information will also help understand general risks of using the internet and measures to reduce these. So it really does apply to everyone, not just those who consider themselves at risk of government surveillance.
 
The quick highlights:
 
1. "If you don't have it, they can't get it." Limit the information you keep in any form. Shred or use secure file delete practices. Make a habit of cleaning out so that if a device is seized or searched there won't be as much for them to find.
 
2. "If someone else has stored it, they can get it." Consider anything on a mail server or any other site easily obtainable. This includes search history, browsing history, and anything else.
 
3. "Think before you communicate." This was interesting. They ask "Do you really want there to be a record of this?". So don't just pick how to communicate (you have more protection and less of a trail using a land-line phone than anything else), but also consider when and to whom. With encryption they may not be able to read the email or IM but they'll still know when you sent it and who you sent it to.
 
4. "Use encryption." An obvious one. But just because you encrypt it doesn't mean they can't get it. You may be forced to provide the key or to decrypt and provide access to some or all of the content.
 
Realizing just how little privacy and protection we have is the first step. And if it's this easy for the government to obtain through legal means, it's even easier for others to obtain through illegal means. Protecting yourself from the government is a good first step to protecting yourself from criminals.

From the 13th International Conference on Financial Cyptography and Data Security, Barbados, 2009
 
Conference website is http://fc09.ifca.ai
 
Copy of Paper:
http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf
 
Copy of Slides:
http://www.cl.cam.ac.uk/~sjm217/talks/fc09optimised.pdf
 
Abstract. The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer’s debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous weaknesses that are due to design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. The overall strategic error was excessive optimisation. There are also policy implications. The move from signature to PIN for authorising point-of-sale transactions shifted liability from banks to customers; CAP introduces the same problem for online banking. It may also expose customers to physical harm.
 
Author's blog at http://www.lightbluetouchpaper.org/2009/02/26/optimised-to-fail-card-readers-for-online-banking/
 
Comments from the paper on their approach:
 
We used three different techniques to reverse engineer the protocol. First, we monitored communications between legitimate cards and readers (Figure 2 left), using an FPGA based protocol analyser we designed. Second, we emulated a reader and challenged the card (Figure 2 centre). Finally, we constructed an FPGA based card emulator in order to interrogate the reader (Figure 2 right). In all three cases we fully controlled the input, at either the electrical interface or keypad, so our approach was in effect an adaptive chosen text attack. We did not attempt to extract or study the code running on either the smart card or CAP reader.
 
Regrettably these are the only comments. There is no diagram of their FPGA circuits, only two small pictures. One shows a possible custom board, the other what could be an eval or prototype board.

From the 13th International Conference on Financial Cyptography and Data Security, Barbados, 2009
 
Conference website is http://fc09.ifca.ai/
 
http://www.cl.cam.ac.uk/~rnc1/fc09evil.pdf
 
Abstract. Attackers compromise web servers in order to host fraudulent content, such as malware and phishing websites. While the techniques used to compromise websites are widely discussed and categorized, analysis of the methods used by attackers to identify targets has remained anecdotal. In this paper, we study the use of search engines to locate potentially vulnerable hosts. We present empirical evidence from the logs of websites used for phishing to demonstrate attackers’ widespread use of search terms which seek out susceptible web servers. We establish that at least 18% of website compromises are triggered by these searches. Many websites are repeatedly compromised whenever the root cause of the vulnerability is not addressed. We find that 19% of phishing websites are recompromised within six months, and the rate of recompromise is much higher if they have been identified through web search. By contrast, other public sources of information about phishing websites are not currently raising recompromise rates; we find that phishing websites placed onto a public blacklist are recompromised no more frequently than websites only known within closed communities.
 
Highlights from author's blog at http://www.lightbluetouchpaper.org/2009/02/25/evil-searching/
 
We found that some of these searches were “evil” in that they were looking for specific versions of software that contained security vulnerabilities (”If you’re running version 1.024 then I can break in”); or they were looking for existing phishing websites (”if you can break in, then so can I”); or they were seeking thePHP “shells” that phishing attackers often install to help them upload files onto the website (”if you haven’t password protected your shell, then I can upload files as well”).
 
We have firmly established that “evil searching” is an important way of locating machines to compromise.

It seems every Black Hat there's a talk about Tor. And every talk ends with a Q&A during which various defenders of Tor state this isn't a new problem, it's already been addressed or mitigated or it's just part of the design.
 
He stepped through how a Tor connection is made and torn down, each message (called a cell in Tor) that is sent.
 
Then he presented his research showing how easily someone who controls both the entry and exit node can identify the circuit, breaking the anonymity.
 
He also showed that by providing free Tor nodes (it's volunteer driven so they won't turn you away) an attacker can increase the chances of holding both the entry and exit node. His research indicates that control of 9% of the routers will result in tracking 60% of the circuits. Small investment with a big return.