Browsing articles from "July, 2012"

Black Hat Guide: Day One

Talks
10:15 – 11:15 Pompeian Advanced Chrome Extensin Exploitation: Leveraging API Poswers for the Better Evil Kyle Osborn + Krzystztof Kotowicz

11:45 – 12:45 Augustus V + VI How the Analysis of Electrical Current Consumption of Embedded Systems Could Lead to Code Reversing” Yann Allain + Julien Moinard
*Dan Kaminsky is also doing a talk at this time, but I think this one will be solid.

2:15 – 3:15 Palace I Don’t Stand So Close To Me: An Analysis of the NFC Attack Surface Charlie Miller

3:30 – 4:30 Palace II Intrusion Detection Along the Kill Chain: Why your Detection System Sucks and What to Do About it John Flynn

5:00 – 6:00 Palace I Adventures in Bouncer Land Nicholas Percoco + Sean Schulte

Parties

  • ISE VIP Reception at Black Hat
  • Accuvant LABS, WhiteHat and Palo Alto Party at Pure
  • Fishnet Security at Revolution Lounge
  • Qualys Party at HYDE Bellagio
  • RSA Party at Rhumbar

The Black Hat 2012 Diary: “Drink It In”

Day 0

I arrived in Las Vegas, late yesterday oddly from Atlanta, Georgia and not Denver, Colorado where I currently reside. I have to admit, I am way more excited this year than I have been since my first time to Black Hat back in 2007. So much so that I found myself watching the minutes tick off the roughly four hours it took me to fly here. When the plane landed I was practically ready to spring out of my seat and sprint the rest of the way to the gate!

As I sat in the cab eagerly encouraging the driver to get to the hotel as quickly as possible, I began to assess why I am particularly excited. Is it the talks? No. Though the lineup this year is better than any other year since 2007, I did not believe it was the talks. Is it the reunion aspect of Black Hat? Well, I’m certainly excited to see everyone, but I see people pretty regularly in my travels and my excitement level was well above typical levels for reunions. At this point, I began to think about my girlfriend (Janita) and how I was going to miss her and I wasn’t excited about that (*blush). It was on this last recognition that I realized why going to Black Hat tasted just a little bit sweeter this year.

“Something Happened…
To explain what I realized, I have to take everyone back to something she and I did together last week. For Janita and I, seeing midnight shows, if really anything, is her and my “thing.” Multiple Harry Potters, Act of Valor, the Avengers, both Iron Man’s, The Amazing Spider-man, Thor, are just a few of the midnight shows we’ve caught together. We enjoy the cosplay (people dressing in costume) and the energy of the crowd. So posting on Facebook the day that Janita, one of my closest friends Ryan and I were going to see the midnight showing of Batman The Dark Knight Rises at the time didn’t seem like that big of a deal.

To skip the suspense, I will plainly state Janita, Ryan and I watched the whole movie and all slept peaceably in our beds that Thursday evening, totally unaware of the carnage that occurred just a few miles away. We were at a different theater.

I awoke the next morning to the soft, but somewhat panicked words, “Mike, something happened…”

Once my girlfriend explained there had been a major shooting at another theater several miles away, my immediate thought shot to how worried my mother must be. I immediately grabbed my phone hoping that I would have no missed calls and no messages. Maybe the news had not made it out east yet. Unfortunately, this wasn’t the case. I grabbed my phone and immediately remembered it was still on vibrate from the movie. I then recognized I wouldn’t have heard it ringing over the fan…people had been calling me for hours.

I honestly cannot recall the actual number of calls/messages I missed, but I can comfortably state it was more than 30, and that they were from multiple people including some who I had not spoken to in a long while. Upon reading a brief summary of a few of the text messages that I received, I froze. It was not the concerned tone of the text messages that shocked me; I had anticipated concern. What shocked me was the desperation.

Janita, Ryan, and I did not know anyone who was injured or killed in the attack. (thank G-d). Frankly, despite the relatively close proximity, we have very few friends in that area and we knew they wouldn’t have gone to see the movie. And yet, while I’d love to end the story on that, note, we did not unfortunately get off so easily. Instead, Janita’s close friend, lost his high school best friend…

This is a relationship that she is far enough removed to not impact our daily life, but close enough for us to stop and seriously consider the mere fact, that what separated us from a life and death struggle is simply that, “we were at a different theater.”

I’ll spare you the cocktail of emotions that a realization like this one has put me through and I’ll also spare you the “what-if” scenarios that have been running through my mind for several days now. Just know that it hurts to know things can be so random, life can be so frail and the “what-ifs” are terrifying. More than anything I fear the idea of failing to protect Ryan and Janita, and at the same time, I think about how upset my people were not knowing if I was ok, and how devastated they would have been had I not been alright. This made me realize that I am more happy to be here at the world’s largest hacking spectacle a than normal. It is a present that I have taken for granted in recent years.

Life tastes a little bit sweeter to anyone who recognizes its frailty.

Drink It In

Looking around the Black Hat venue, Ceasar’s Palace, last night, I hoped to G-d and prayed that no one here, especially the 303 folks (whom I mostly do not know but are, I believe, almost all also Colorado residents) was directly affected by the horrific incident in Colorado. To which, I should tell everyone that, I am deeply religious but believe religion to be a very personal experience, and you’ll virtually never catch me bringing in my beliefs into a conversation. So when I openly admit to praying, it means something big.

Beyond that though, I am just SO happy to be here. I think it is worthwhile for all of us in attendance at Black Hat this year to recognize that our attendance is a luxury, seeing our friends and being intellectually enlightened by the community, is a gift. Drink it in folks, enjoy it, life is short, it is frail, and you only have one shot at it. This week, follow the blog, we’ll keep you posted of all the events and inform you of what talks we think will be interesting. And forgive me if any of my writings seem overly excited. Welcome to Black Hat!

Check out the Black Hat Day One Guide

Shodan Gets a Mobile App

In virtually useless news Shodan now has a mobile app. Shodan, one may recall, is an incredibly useful semi-public database of information on Internet connected computers. A few years ago, the existence of Shodan struck fear into security professionals everywhere. Today, it’s nefarious use is certainly recognized but it is far less feared. All that aside the introduction of Shodan onto mobile platforms is nifty and fun to play with but at the end of the day it is more a toy than it is a useful utility for security professionals. Granted, the customer cases are plentiful–who hasn’t needed to find a server running Apache 1.3.3 while reading the news on their iPad in a hotel without an Internet connect? (Hopefully the sarcasm comes across clear in writing) The real story is how the persistence of Erran Carey (of Rapid7) got the app through Apple’s review process.

Hopefully that persistence and the existence of a security tool that is not a mobile management platform or a glorified RSS reader will be the first step towards a plethora of mobile security tools on the iOS platform. For now, we’ll just have to stick with the good old fashioned PWN Phone from Pwnie Express. The Nokia N900 is a lot less sexy but with some Pwnie Express software it’s a lot more useful. At any rate congratulations to Erran and have some fun with the Shodan application available now in the Apple App Store.

“Where Are We Versus Everyone Else?”

In working with clients, I regularly receive the question, “Where Are We Versus (insert noun here) like us.” As a result I have come to label this the “Grizzly Bear Paradigm.” I modeled this paradigm off of the well-known mantra that one does not have to be the fastest camper to outrun a grizzly bear, they just have to be faster than the slowest camper. I use this paradigm because when I am asked this question, I am not being asked, “How can be we become the most secure company?” I am being asked, “How can we reach the middle of the pack.”

CISO’s often aim to be middle of the pack in terms of security because it says on the one hand that they are not incompetent versus the rest of the field and they have not reached a level of overkill. In a lot of ways this methodology makes a lot of sense as the middle of the pack is really the best place to be. On the one hand there is coverage should something happen and on the other hand there is still room to request budget. The problem is that security is only as strong as the weakest link in the chain. Any number of high security companies proved this point last year. Put simply 99% secure and 100% ineffective.

As a result let me once and for all answer all the times I’ve been asked where a company stood versus others in their market as well as ask this question of the Grizzly Bear Paradigm, “Shouldn’t we as security professionals aim to serve better than striving for the goal of a position that is politically strong?”

A Smattering of Security Statistics

This page is dedicated to reporting security statistics as they are reported from the numerous outlets around the market. This page will continue to be updated as new reports arise.

“36% of vulnerabilities went unlatched in 2011.” -X-Force Trend and Risk Report 2011
“India accounted for roughly 14% of all spam registered today.” -X-Force Trend and Risk Report 2011
“41% of vulnerabilities disclosed are web application vulnerabilities.” -X-Force Trend and Risk Report 2011
“11% of vulnerabilities disclosed in 2011 had an associated public exploit released.” -X-Force Trend and Risk Report 2011
“28% of web applications tested had CSRF vulnerabilities.” -X-Force Trend and Risk Report 2011
“40% of web applications tested had XSS vulnerabilities.” -X-Force Trend and Risk Report 2011
“.tk and .com domains represented more than 70 percent of all new anonymous proxies.” -X-Force Trend and Risk Report 2011

“174 million records were compromised across 855 incidents researched” -DBIR
“98% of breaches stemmed from external agents” -DBIR
“58% of all data theft tied to activist group” -DBIR
“81% utilized some form of hacking” – DBIR
“69% of breaches incorporated malware” – DBIR
“79% of victims were targets of opportunities.” -DBIR
“96% of attacks were not highly difficult” -DBIR
“94% of all data compromised involved servers” -DBIR
“85% of breaches took weeks or more to discover” -DBIR
“92% of incidents were discovered by third parties” – DBIR
“97% of breaches were avoidable through simple or intermediate controls” -DBIR
“96% of victims subject to PCI DSS had not achieved compliance” -DBIR
“69% of all breaches there was good evidence of the breach in the organizations log files, but such evidence is rarely found due to data overload.” -DBIR

“Attackers used valid credentials in 100% of cases.” -M-Treends
“77% of Advanced threats investigated used publicly-available malware” – M-Trends
“At median it took 416 days from the time attackers were present on a victims network before their presence was detected (in investigated incidents).” M-Trends
“Searching for malware identifies only 54% of systems compromised in an incident.” – M-Trends
“Attackers are once again using passive backdoors to evade network- and host-based detection methods” -M-Trends

“Customer records remained a valuable target for attackers, making up 89% of breached data investigated.” – 2012 Global Security Report

“In 76% of incident response investigations, a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies.” Trustwave 2012 Global Security Report
“Law enforcement detected more breaches in 2011 – up from 7% in 2010 to 33% in 2011.” -Trustwave 2012 Global Security Report
“Anti-virus detected less than 12% of the targeted malware samples collected during 2011 investigations.” -Trustwave 2012 Global Security Report
“For Web-based attacks, SQL injection remains the number one attack method for the fourth year in a row.” -Trustwave 2012 Global Security Report
“The most common password used by global businesses is “Password1″ because it satisfies the default MS Active Directory complexity setting.” -Trustwave 2012 Global Security Report
“89% of attacks were focused on obtaining PII” -Trustwave 2012 Global Security Report
“80% of breaches propagated via use of weak administrative credentials.” -Trustwave 2012 Global Security Report
“28% of Apache Tomcat installations with an accessible administrative interface have default credentials.” -Trustwave 2012 Global Security Report

“Through 2016, 75% of CISOs who experience publicly disclosed security breaches and lack documented, tested response plans will be fired.” Strategic Planning Assumption (Gartner Seven Steps to Creating an Effective Computer Security Incident Response Team)

“Two-thirds of security leaders expect spending on information security to rise over the next two years. Of those 90% anticipate double-digit growth. One in ten expects increases of 50% or more.” – IBM CISO Study

“Over 6,000 new pieces of malware are released every month.” -Unknown found on ANsonAlex.com

“Web based attacks increased by 36% with over 4,500 new attacks each day.” -Symantec Internet Security Threat Report, Volume 17
“403 million new variants of malware were created in 2011, a 41% increase of 2010″ -Symantec Internet Security Threat Report, Volume 17
“39% of malware attacks via email used a link to a web page.” -Symantec Internet Security Threat Report, Volume 17
“Mobile vulnerabilities continued to rise, with 315 discovered in 2011″ -Symantec Internet Security Threat Report, Volume 17
“It is estimated that there were 42 billion pieces of span sent per day in 2011″ -Symantec Internet Security Threat Report, Volume 17
“42% of all mailboxes targed for attack are high-level executives, senior managers and people in R&D.” -Symantec Internet Security Threat Report, Volume 17
“403 million unique variants of malware in 2011″ -Symantec Internet Security Threat Report, Volume 17
“55,294 unique malicious web domains in 2011″ -Symantec Internet Security Threat Report, Volume 17
“1 in 239 E-mails contains a virus.” -Symantec Internet Security Threat Report, Volume 17

“5% of websites have had at least 1 SQL Injection vulnerability without needing to login.” -WhiteHat Security Statistics Winter 2011
“71% of Education, 58% of Social Networking, and 51% of Retail websites were exposed to a serious* vulnerability every day of 2010.” -WhiteHat Security Statistics Winter 2011
“During 2010, the average website had 230 serious vulnerabilities.” -WhiteHat Security Statistics Winter 2011
“In 2010, 64% of websites had at least one Information Leakage vulnerability, which overtook Cross-Site Scripting as the most prevalent vulnerability by a tenths of a percent.” -WhiteHat Security Statistics Winter 2011

“70% of security professionals surveyed do not believe their organizations (allocate) sufficient resources to secure and protect critical Web applications.” -Ponemon Institute State of Web Application Security
“34% of urgent vulnerabilities are not fixed.” -Ponemon Institute State of Web Application Security
“38% believe it would take more than 20 hours of developer time to fix one vulnerability.” -Ponemon Institute State of Web Application Security
“55% of respondents believe developers are too busy to respond to security issues.” -Ponemon Institute State of Web Application Security
“Proactive organizations spend more than twice the amount on application security than non-proactive organizations (25% vs 12% of the total IT security budget)” -Ponemon Institute State of Web Application Security

Blackhole Exploit Kit Research

To be perfectly frank, we haven’t spent much time with exploit kits since they seem to be the stomping grounds of virtually every security vendor with a research arm these days. That said, we thought it would be fun. Thus, we took a look at one of the up-and-comers in the exploit kit market, the Blackhole Exploit Kit.  Currently the Blackhole Exploit Kit accounts for 7.7% of the domains listed in the Malware Domain list housed at the aptly named http://malwaredomainlist.com. Which of course means that the Blackhole Exploit Kit is not on the level of Zeus or SpyEye yet, but is certainly a player in the game.

In order to take a look at Blackhole we identified an active site via testing out different blacklists (lots of false positives on those lists) and began to observe. The first thing that we noted was that the site utilized some pretty distinct obfuscation, and that the obfuscation changed roughly every 24 hours. When the code was deobfuscated it was clear that we were dealing with an exploit against a java vulnerability. Unfortunately within 24 hours we saw that attack change to target an MDAC vulnerability from 2006, specifically CVE-2006-0003. More over the obfuscation technique was good enough that it bypassed all the AV and IPS engines we tested it against. One of the less sophisticated obfuscation techniques can be seen below but first let’s take a look at the obfuscated string (which is ugly).

Figure 1: Obfuscated Code


Figure 2: Deobfuscation Script

How This Works
1. The deobfuscation is setup as a function called “g” which is obvious
2. The variable md is set to equal “a”
3. The variable d (which is the obfuscated code) is split by the letter “v”
4. The variable “s” is initialized
5. Next a loop to further deobfuscate the string contained in “d” is set up.
6. Next “q” is set to be d.length minus the position number of the variable being deobfuscated minus 1 mod 2 plus 1.
7. The variable c is set to the character in the string d at position i multiplied by q.
8. The variable f is set to set to the first part of FromCharCode
9. S is set to equal FromCharCode(c)

There a few ways to reverse this code and deobfuscate the malicious string. The easiest is simply to add in a window.alert() instead of the string that actually executes the malicious code. This method however can be dangerous as a mistake may cause one to accidentally execute the malicious code. In addition, this method is pretty old and attackers sometimes purposefully make this difficult. In other words, it doesn’t always work. Another method would be to use Malzilla, a software utility that essentially separates code from the Document Object Model (DOM) from the actually browser within Malzilla. Thus, the execution of the Javascript code will only be limited to printing the deobfuscated code. We have our reservations about this of course, but it works well in a lot of cases. Unfortunately, this piece of code is fairly resistant as the eval() function call is actually obfuscated as well. Another method is to use jsunpack to deobfuscate the code (personal favorite but does not always show the nitty gritty of how this is accomplished).

Regardless, the deobfuscated code looks like the below:
One will note the 0c0d which is used in the heap spray as a NOP Sled for the shellcode which follows the NOP sled. The shellcode, which can be seen below is known as

As was mentioned, the exploit on this site changes roughly every 24 hours. At first it was merely changing the obfuscation technique, however, after further observation the actual exploit began targeting different vulnerabilities. Specifically, MDAC via CVE-2006-0003.

Snort Signatures Triggered
This particular piece of code will trigger two Snort signatures, namely:
1. Possible Request for Blackhole Exploit Kit Landing Page – src.php?case=
2. Current_Events Driveby Blackhole – Landing Page Received – Applet and Flowbit