White Hat Hacker

The following is from the EPIC News Alert 16.21

Secure voting systems should be simple by now, but it seems commercial
motivations and competition keep getting in the way. I'm hopeful
something better will be available soon. The Scantagrity voting system
looks promising.

-----

The city of Takoma Park Maryland's Clerk of Elections sought EPIC's
assistance in conducting a manual audit of their November 3, 2009
election. The city chose the Scantagrity voting system for its biannual
election for mayor and city council. Scantagrity is an original concept
developed by David Chaum and has been refined for use in elections
through the collaboration of Ron Rivest, MIT and Poorvi Vora, Computing
Science Department at George Washington University.

Scantagrity's implementation for the Takoma Park election allowed
voters the option of performing a post-voting verification of the
capture of their ballots for the tabulation phase of the election.
Takoma Park voters also had the option of second chance voting, which
allowed the selection of primary and secondary choice for the public
offices on Tuesday's ballot.

This marked the first time in the U.S. that voters had the option to
check that their private votes are correctly recorded and included in
the election results. Selections on each ballot used unique codes for
each possible selection on the ballot. The codes correspond to the
ballot number. It is important to note, however, that ballots are not
associated with a specific voter. Poll book registration logging of
voters participating in the election was separate from the issuance of
ballots to voters.

Voters were given ballots in a privacy sleeve. They then voted using
optical scan ballots behind privacy screens, which allowed voters the
option of noting the codes and ballot numbers on a form they could take
with them. Voters then deposited completed ballots into one of two
scanners. Later, voters could verify that their ballot was included in
the final results by going to the City Election Office's web site and
entering the ballot number. The process was not as accessible for
unassisted voting for persons vision related disabilities, when
compared with touch screen voting systems. However, the ability of
voters with a wide range of disability challenges were able to vote
independently, or with little assistance with their privacy sleeve
enclosed ballot's insertion in the scanner.

EPIC was asked to randomly select ballots from the choice of ballots
provided to voters from each of the 6 wards. Over 1600 Takoma Park
voters participated in the election. The audit ballots were selected
at varying times throughout the Election Day, under the supervision of
election officials. Takoma Park elections officials voided each audit
ballot and marked ballots stubs to indicate that they were part of the
manual audit. Then EPIC processed each manual audit ballot by revealing
all possible selections for each ballot, then a copy of the original
manual audit ballot was made. The original ballots were placed in a
spoiled manual audit ballot envelope held by another election official
stationed in the polling location. Each ballot copy was then endorsed
by the Chief Election Judge, which will aid in authentication of the
copies when they are submitted to the City Clerk's office. The manual
audit ballots and their selections will be verified and the results
reported to the Takoma Park Clerk's office.

Scantagrity:
http://www.scantegrity.org/

Links: Takoma Park Election's Office:
http://www.takomaparkmd.gov/clerk/election/2009/index.html

Takoma Ballot verification Web page:
http://scantegrity.org/takoma/checkcodes

EPIC's Voting Privacy Page:
http://epic.org/privacy/voting/

In the past year (or so) Microsoft has released four free security tools to improve application security.

The following clips are from the announcements on www.theregister.co.uk and links from searching MSDN.

2008-09-16 The first initiative is the release of the Microsoft SDL Threat Modeling Tool. The software is designed to streamline the development of secure applications by helping teams track and mitigate security and privacy flaws that are likely to affect specific types of applications. The idea is to streamline secure coding by giving guidance in drawing threat diagrams, analysis of threats and mitigations and integrating with an organization's bug tracking systems.

SDL Threat Modeling Tool 3.1
http://www.microsoft.com/downloads/details.aspx?familyid=A48CCCB1-814B-47B6-9D17-1E273F65AE19&displaylang=en

2009-03-20 The release of !exploitable, which was announced at the CanSecWest security conference in Vancouver, British Columbia, is a continuation of that effort. It's a Windows debugger extension that's used during fuzz testing, when testers test the stability and security of an application by throwing unexpected data at it. It's expected to be available soon at this linkas an open-source program on CodePlex.

!exploitable Crash Analyzer - MSEC Debugger Extensions
http://msecdbg.codeplex.com/

2009-09-16 Microsoft Minifuzz is a lightweight file fuzzer, a type of tool that detects software bugs by throwing random data at an application. Under Redmond's Secure Development Lifecycle (SDL), all code under development must be extensively fuzzed so buffer overflows and other common flaws can be identified before it goes into production.

MiniFuzz File Fuzzer
http://www.microsoft.com/downloads/details.aspx?FamilyID=b2307ca4-638f-4641-9946-dc0a5abe8513&displayLang=en

2009-10-27 EMET, short for Enhanced Mitigation Evaluation Toolkit, allows developers and administrators to add specific security protections to applications. Unlike mitigations released in the past, EMET doesn't require programs to be recompiled, so it can be used to fortify applications even when the source code isn't available.

Enhanced Mitigation Evaluation Toolkit (EMET)
http://go.microsoft.com/fwlink/?LinkID=162309

We all test stuff. Sometimes we'd like to share the test environment, but that becomes complicated because of software license issues. For example, some general instructions on setting up a simple fault testing framework that anyone inside the company can use as a starting point for their project. You can't post your own XP image and you can't expect everyone to have their own MSDN subscription.

The solution is the FDCC images from (http://nvd.nist.gov/fdcc/download_fdcc.cfm). As part of the Federal Desktop Core Configuration, Microsoft provides periodic updates to images and posts them on the FDCC site. The most recent set is from Q1 of 2009, but they work.

First download the multi-part zip file of XP or Vista. These must be opened in WinZip, not pkzip, or gzip, or anything else I tried on Mac OS X.

Next, download the free Microsoft Virtual PC 2004 SP1 or 2007 SP1. You'll need this because the zip archive contains a single VHD file that will only work with Virtual PC. I don't have a link for the download, but start at http://msdn.microsoft.com and search for Virtual PC.

NOTE: Yes, I did try using the vmware-vdiskmanager to convert the VHD image to a vmdk image. But I could not create an IDE disk. And using the SCSI disk image XP will blue screen before getting to the logon screen. Trying to fake the import utility didn't work either. So I fell back on creating a VPC image, then running the converter.

Install and run Virtual PC. Create a new image accepting all the defaults, but using the VHD file for the hard disk. You should be able to start this and log onto the FDCC image. The username and password are provided in the FAQs on the FDCC site, but for the impatient use Renamed_Admin and P@ssw0rd123456.

Now download and install the free VMware Converter. Again, no link. Go to http://www.vmware.com and search. You'll need to register, get the email, follow the link. Using this utility convert your Virtual PC image to a VMware image suitable for your next free download, the VMware Player.

Finally, install and run VMware Player. Open the .vmx file of your converted image. All should be well.

For extra credit, manually edit the VMware image to add a serial port by following the instructions on the VMware community help pages at (http://communities.vmware.com/message/1380528#1380528) or reading through (http://sanbarrow.com/vmx.html). Now you can run Windows Debugger (WinDbg) in one virtual machine or on the host, while attaching to a target virtual machine for kernel debugging.

After all this effort you'll have a Windows XP or Vista virtual machine which you can pass along to your team, your colleagues, your friends without breaking the rules or risking the loss of your MSDN license.

I've just gone through this exercise and can attest that it works. Or at least it did today.

"Dragon Bytes - Chinese Information-War Theory and Practice" by Timothy L. Thomas.

The hardest part of this book is finding a copy. It was published by the Government Printing Office for the Foreign Military Studies Office (FMSO) at Ft Leavenworth in 2004. Fortunately two people in my business network came up with personal copies to lend. Not sure what that says about my circle of associates.

I'm drawn to the main theme of this work - that a far different culture (such as the Chinese) would not only develop a far different perspective on IW (we expected that), but that this will require us to change our perspective as a counter measure. The book doesn't make suggestions on what changes the West should make.

The perspective of Chinese IW reflects their 36 Stratagems, Mao's thoughts on war, a focus on control, and "People's War". The emphasis is on protecting their own network while controlling the adversary. They don't focus as much on destruction or direct action, recognizing that influence by any means may be more effective.

It's not clear how to measure effectiveness at the tactical level. At the strategic level it would be the achievement of their goals. But to gauge the effect of a single operation or campaign by this perspective must be hard.

An interesting article (http://www.theregister.co.uk/2009/04/24/most_dangerous_exploits/) by Dan Goodin who attended a standing-room panel by Ed Skoudis (InGuardians) and Johannes Ullrich (SANS Institute) at the RSA Conference (https://365.rsaconference.com).
 
While Dan did not post a full list, he mentions the following:
 
Super-flexible Pivoting: Compromising a DMZ system, then launching attacks into the corporate network.
 
Pass the Hash: Stealing a user's cryptographic hash then penetrating Windows servers. This is aided by examples of this attack from Core Security (http://oss.coresecurity.com/projects/pshtoolkit.htm), JoMo-kun (http://www.foofus.net/jmk/passhash.html) or modules in Nessus and MetaSploit.
 
Wireless attacks: Such as compromising a client machine, then launching attacks into the corporate network.
 
Problems with SSL: They mention use of non-SSL login pages, methods of spoofing SSL sessions, but also "SSL's focus on failed connections rather than those that are successful". Not sure what to make of that - the lack of robust audit features?
 
VoIP systems: Ullrich stated scans of port 5060 are up significantly compared to last year, some 5,000 scans per day.
 
And the quote to take away, by Ed Skoudis: "I believe that a determined but no necessarily well-funded attacker can pretty much break into any organization. If you think it's less than 50 percent, I think you need to look a little more carefully."
 
The focus was on corporate networks, so it would be interesting to hear a similar panel on client systems.
 
The panel appears to have been session HT1-303, titled "The Seven Most Dangerous New Attack Techniques, and What's Coming Next", which was held Thursday, April 23rd 2009. Dan's article does not mention Rohit Dhamankar (TippintPoint) who was also on the panel, or Alan Paller (SANS Institute) who moderated.

Summary: "With all these tools in your arsenal, reverse engineering Cocoa executables is actually very simple. In fact, it's a good deal more straightforward than most Windows executables."
 
The tools are IDA Pro, class-dump, class-dump-x, otx, and his own utility which it doesn't look like he's released. I guess you need to keep a discriminator proprietary.
 
IDA Pro: http://www.hex-rays.com
 
Class-Dump: http://homepage.mac.com/nygard/Projects/index.html
class-dump-x: Just search online, and you'll find it.
Read more about class-dump at http://www.cocoadev.com/index.pl?ClassDump
 
otx: http://otx.osxninja.com/
 
Bundled with OS X: lipo, ditto, otool
 
This article is at http://www.theregister.co.uk/2009/03/17/mac_secrets_reverse_engineering/print.html
 
He's written several other article about reverse engineering or undocumented components at the same site.

Today I heard Dan Geer (http://en.wikipedia.org/wiki/Dan_Geer) speak at a conference.
 
I won't restate his talk as it should be released soon, but I found several of his comments interesting.
 
He observed that computer security is a renaissance field that draws on a great diversity of skills and backgrounds. He also observed it has a high rate of change, also like the Renaissance.
 
The first challenge of any research is to get the problem statement right. If you don't you'll only develop a solution in search of a problem and there are already too many security products like that. The other challenge is that the problem statement needs to remain stable.
 
The purpose of risk management is to improve our odds of future success, not explain the past.
 
Our adversaries are not random accidents and alpha particles, they are sentient.
 
In security considerations cost benefit analysis must fail because you can't price security. But cost effectiveness is relevant.
 
And the comment that caught me off guard, especially given my embedded software experience (which I'll be the first to caution is both limited and dated) was that embedded systems should either have no remote management interface or should be able to refuse a command. And they should come with a termination date (not his term but mine) so they stop working at a pre-determined point in the future rather than keep on working until they fail.
 
He lead up to his conclusion with other arguments and I'm inclined to say he got this one right. Think of all the embedded systems that are designed around programmable logic. If they connect to the internet, or come with a port, they should be capable of an update because there will be faults or new features. But they should also be able to refuse these updates so any attack against them is harder. Of course the implementation of something like this is hard. And hard means both more expensive and longer development cycles -- so it's not likely to be done right. Better to just make them single use or time-limited. So any attack will have limited cost effectiveness because the device will brick itself soon.

The Electronic Freedom Foundation (EFF) created a site (https://ssd.eff.org/) discussing the various ways the US government can obtain information about you and how to limit this. They state their objective is to "educate the American public about the law and technology of government surveillance" and to provide "the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it."
 
The information will also help understand general risks of using the internet and measures to reduce these. So it really does apply to everyone, not just those who consider themselves at risk of government surveillance.
 
The quick highlights:
 
1. "If you don't have it, they can't get it." Limit the information you keep in any form. Shred or use secure file delete practices. Make a habit of cleaning out so that if a device is seized or searched there won't be as much for them to find.
 
2. "If someone else has stored it, they can get it." Consider anything on a mail server or any other site easily obtainable. This includes search history, browsing history, and anything else.
 
3. "Think before you communicate." This was interesting. They ask "Do you really want there to be a record of this?". So don't just pick how to communicate (you have more protection and less of a trail using a land-line phone than anything else), but also consider when and to whom. With encryption they may not be able to read the email or IM but they'll still know when you sent it and who you sent it to.
 
4. "Use encryption." An obvious one. But just because you encrypt it doesn't mean they can't get it. You may be forced to provide the key or to decrypt and provide access to some or all of the content.
 
Realizing just how little privacy and protection we have is the first step. And if it's this easy for the government to obtain through legal means, it's even easier for others to obtain through illegal means. Protecting yourself from the government is a good first step to protecting yourself from criminals.

From the 13th International Conference on Financial Cyptography and Data Security, Barbados, 2009
 
Conference website is http://fc09.ifca.ai
 
Copy of Paper:
http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf
 
Copy of Slides:
http://www.cl.cam.ac.uk/~sjm217/talks/fc09optimised.pdf
 
Abstract. The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer’s debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous weaknesses that are due to design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. The overall strategic error was excessive optimisation. There are also policy implications. The move from signature to PIN for authorising point-of-sale transactions shifted liability from banks to customers; CAP introduces the same problem for online banking. It may also expose customers to physical harm.
 
Author's blog at http://www.lightbluetouchpaper.org/2009/02/26/optimised-to-fail-card-readers-for-online-banking/
 
Comments from the paper on their approach:
 
We used three different techniques to reverse engineer the protocol. First, we monitored communications between legitimate cards and readers (Figure 2 left), using an FPGA based protocol analyser we designed. Second, we emulated a reader and challenged the card (Figure 2 centre). Finally, we constructed an FPGA based card emulator in order to interrogate the reader (Figure 2 right). In all three cases we fully controlled the input, at either the electrical interface or keypad, so our approach was in effect an adaptive chosen text attack. We did not attempt to extract or study the code running on either the smart card or CAP reader.
 
Regrettably these are the only comments. There is no diagram of their FPGA circuits, only two small pictures. One shows a possible custom board, the other what could be an eval or prototype board.

From the 13th International Conference on Financial Cyptography and Data Security, Barbados, 2009
 
Conference website is http://fc09.ifca.ai/
 
http://www.cl.cam.ac.uk/~rnc1/fc09evil.pdf
 
Abstract. Attackers compromise web servers in order to host fraudulent content, such as malware and phishing websites. While the techniques used to compromise websites are widely discussed and categorized, analysis of the methods used by attackers to identify targets has remained anecdotal. In this paper, we study the use of search engines to locate potentially vulnerable hosts. We present empirical evidence from the logs of websites used for phishing to demonstrate attackers’ widespread use of search terms which seek out susceptible web servers. We establish that at least 18% of website compromises are triggered by these searches. Many websites are repeatedly compromised whenever the root cause of the vulnerability is not addressed. We find that 19% of phishing websites are recompromised within six months, and the rate of recompromise is much higher if they have been identified through web search. By contrast, other public sources of information about phishing websites are not currently raising recompromise rates; we find that phishing websites placed onto a public blacklist are recompromised no more frequently than websites only known within closed communities.
 
Highlights from author's blog at http://www.lightbluetouchpaper.org/2009/02/25/evil-searching/
 
We found that some of these searches were “evil” in that they were looking for specific versions of software that contained security vulnerabilities (”If you’re running version 1.024 then I can break in”); or they were looking for existing phishing websites (”if you can break in, then so can I”); or they were seeking thePHP “shells” that phishing attackers often install to help them upload files onto the website (”if you haven’t password protected your shell, then I can upload files as well”).
 
We have firmly established that “evil searching” is an important way of locating machines to compromise.