Security Art Work

(Please note this is a translated post from the Spanish version… and that 28th December is in Spain equivalent to April Fools’ Day, so this news was just a joke)

Although this finding has little more than 12 hours (it appeared yesterday in some Chinese media), it has not taken too long to spread through the US specialized media. Among others, ArsTechnica, Bruce Schenier, Wired or Dan Kaminsky have brief reviews commenting the recent findings made by Lian Li and Huan Chen, Chinese researchers from Peking University.

Apparently, all began at the end of 2013, while Li and Chen were performing forensic analysis on three compromised computers. Analyzing different Adobe update packages stored in the computers (suspected to be a vector for infection), they detected that all of them had a similar structure: the update package and an encrypted data block C1 that could vary from 65536 bytes to several MBs.

[Read more…]

This article will introduce r2 to resolve a simple CTF from Defcon ’14 using Linux. For those who do not know radare2 is a unix-like reverse engineering framework and commandline tools and the most important thing about it is that it is open source thus we can play with it.

Radare2 gives us the possibility to do reverse engineering and more by free as we will look on this post though we are not going too deeply into the commands. I leave it as an exercise for the reader.

Most people complain about the lack of doc that r2 has but that is far from the truth. Radare has:

• Open source Book in which anyone can contribute.
• Talks.
• Asciinema showing usage examples.
• If you append ? in each command in r2’s console you will get a little help.
• There is a blog.
• IRC channel on freenode.net #radare.
• Last but not least we have the source code.

[Read more…]

(See parts I, II and III of this serie)

In the previous post we managed to obtain the original SWF, but discovered that the exploit is embedded in a ByteArray. Will we be able to obtain it?

First of all, we must extract the contents stored in the ByteArray. To do this, we need a Flash decompiler desktop: Adobe SWF Investigator (It’s free!). Once installed we open the last file obtained: uncompressed_exploit.swf. We go to “Tag Viewer” and select “DefineBinaryData” among all the tags. Then we save it by clicking in “Dump to file” and naming it as “dump_exploit.bin”, for example.

[Read more…]

(See parts I and II of this serie)

In the previous post we were about to find out why the proxy does not identify the Flash object as application/x-shockwave-flash. Let’s see.

(4) Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs

We extract the object Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs from Wireshark and check what type of file it is:

$ file Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs 
Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs: data

$ file --mime Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs 
Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs: application/octet-stream; charset=binary

$ hexdump Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs -n128 -C
00000000  5a 57 53 17 ad 23 00 00  3a 21 00 00 5d 00 00 20  |ZWS..#..:!..].. |
00000010  00 00 3b ff fc 8e 19 fa  df e7 66 08 a0 3d 3e 85  |..;.......f..=>.|
00000020  f5 75 6f d0 7e 61 35 1b  1a 8b 16 4d df 05 32 fe  |.uo.~a5....M..2.|
00000030  a4 4c 46 49 b7 7b 6b 75  f9 2b 5c 37 29 0b 91 37  |.LFI.{ku.+\7)..7|
00000040  01 37 0e e9 f2 e1 fc 9e  64 da 6c 11 21 33 ed a0  |.7......d.l.!3..|
00000050  0e 76 70 a0 cd 98 2e 76  80 f0 e0 59 56 06 08 e9  |.vp....v...YV...|
00000060  ca eb a2 c6 db 5a 86 7b  47 de 99 5d 68 76 38 16  |.....Z.{G..]hv8.|
00000070  bd 93 3c d3 d0 9e d3 55  63 5a da b0 db 27 e6 7c  |..<....UcZ...'.||
00000080

[Read more...]

In the first part, we got an example of the case we want to analyze. Having the HTML files extracted with Wireshark, we can start the analysis.

(1) index.php

Simple; redirects to (2) http://zvqumcs1tsfct4sjvzot3p9.filmtane.com/watch.php?kcppp=MTE3NzU5ODg2Nzk3NjRlY2M0MmJiNDk3M2NmZGVkM2Fl.

[Read more…]

When analyzing network traffic, we can often find patterns belonging to the already known Angler EK, Nuclear EK and Magnitude EK.

Normally sold in the black market, an Exploit Kit (EK) is a toolset that automates the exploitation of vulnerabilities on the client, aimed at browsers and plugins that a website can invoke as Adobe Flash Player, Microsoft Silverlight, Adobe Reader, Java, etc., to infect computers while surfing the Internet in what is called drive-by download attacks.

These patterns can be detected by snort rules such as:

ET CURRENT_EVENTS Cushion Redirection
ET CURRENT_EVENTS Possible Nuclear EK Landing URI Struct T1
ET CURRENT_EVENTS Malvertising Redirection to Exploit Kit Aug 07 2014
ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014

[Read more…]

Yara is an initiative that’s become more and more popular for incident handling, especially over the last year. This project has been widely spoken about on this and other blogs.

Here I’m going to show you a practical example for using incident handling triggered by ransomware. Over the last months there has been an increase in this type of malware that, in spite of the many warnings from those of us working in security and incident handling, is still having quite a big impact. Fortunately, the most recent incidents of ransomware where I have been involved, the compromise has only affected one user each time, which allowed us to focus more on the scope of the encrypted archives than on identifying the equipment that may have been compromised.

Extension identification

One of the first cases we were involved in was an incident with CTB-Locker. On this occasion, a user reported a message appearing on his desktop informing him that his archives had been encrypted and asking for a ransom to recover them. Once part of the incident had been contained by disconnecting the equipment from the network and identifying it as the only one affected (let’s not go into this here) we went on to determine which archives had been encrypted and which ones could be recovered (we would never recommend paying the ransom).

[Read more…]

Two-step authentication is a protection approach widely known among cyber security people but it is not that known among regular users. This article aims to teach everybody about it, as domestic user accounts are more and more targeted by hackers.

We need a unique user ID on the domain in order to access any service on it, this could be a nickname, email address, identity card number, NI number, for example. This information identifies the user, but since it is not secret and anyone could know it, it does not confirm that the user is who they claim to be.

So the user needs to provide something else within the user ID to make the system trust him/her and get access. There are three kinds of authentication factors:

• Something the user knows: password, pin, passphrase, etc.
• Something the user has: pendrive, security key, smartcard, key generator, etc.
• Something unique to the user: fingerprint, retinal pattern, DNA sequence, signature, face, voice or other biometric identifier, etc.

Traditional authenticating methods, well known by everybody, involve the use of a unique user ID within a password that is only known by the user, but what happens if the password is intercepted or stolen by another user? You will not know this on your own.

Two-step authentication is also known as 2FA or TFA and involves the using of two factors of those already stated: the most typical scenario is the time-based one-time passwords. Users must provide his/her password within a one-time key, which is valid for a few seconds and is usually generated on a mobile phone. The mobile phone must be previously configured by introducing a seed for key generating. A hacker might intercept the user password and temporary key, but this would be useless since this is a time-based one-time key. A hacker would need the key generating seed instead, but it never leaves the computer, so a man-in-the-middle attack does not have any effect.

There are scenarios where the temporary key is generated on the server side and it is sent to the user with a text message or email.

You might think using temporary keys are not comfortable enough, if this is your case you can purchase one of the security keys available on the Internet. They are USB drives which contain a certificate and must be plugged into a USB socket anytime you authenticate by entering username and password.

This is a very good technique to harden security and make things tough for hackers but, however this is not 100% secure as security usually breaks by the weakest link: the user. Kevin Mitnick says in his biography: “Gosh in the wires”, that he managed to convince a network operator of a very important company to skip this protection by telling him he would be an employee who forgot his smartcard.

You are probably eager to use Two-step authentication at this point, and you are wondering: Where can I use it?

It is available in more and more services, but unfortunately not yet in all of them. Some of these services are Google, Dropbox, Facebook, PayPal, eBay and Twitter. You can find a table of services that offer this kind of authentication and how they implement it in https://twofactorauth.org/.

Summarizing, Two-step authentication:

• Reduces or removes account stealing by phishing.
• Removes account stealing by man-in-the-middle attacks.
• It makes impersonalization tougher.
• It gives you something to talk to your friends about when they ask you: What is that weird, geeky pendrive on your keyring? And then you can entertain them by telling them about what you’ve just read, or even better, write your own article!

You can find some valuable information regarding MFA in this extenal resource: https://pixelprivacy.com/resources/two-factor-authentication/.

One of the main routes of malware infection is through office automation documents. They represent a very potent vector of infection, specially in directed attacks and phishing campaigns.

These documents are crafted to carry hidden macros, OLE objects, executables, etc., which, once the user opens the document, conduct a series of malicious actions to obtain information with the idea of profiting from it or simply damaging the system. Generally, this type of generic malware downloads other malware for the Internet (droppers), exploits system vulnerabilities, duplicates itself to assure its lifespan in the system, exfilters user information, etc.

A very useful tool for analyzing and detecting anomalous patterns in office automation documents is the “OfficeMalScanner” suite, which you can download from the author’s web, http://www.reconstructer.org/.

[Read more…]

IT security is almost always complex, covering many different areas and creating the sensation of a technical equivalent to “doctors’ handwriting”.

Who hasn’t had a moment where two security technicians start talking about the “APT exploiting a XP kernel CVE and exfiltered by HTTP using 404 modifieds, and thank God the IDS caught it and we put up a deny in the firewall before it dropped a new version of the malware C2”.

If you’re a security technician you’re probably smiling at these lines, but if not, you probably haven’t understood a word of it. The problem is obvious: IT security is complicated, and communicating in IT security is even more complicated.

In my opinion, all us IT security experts should work on our communication skills. We need to convince management to invest more time and resources in improving it, and convince users that security is necessary (for their own good in many cases).

For that reason, I’d like to propose a book list, of texts written by technicians, but where several of the main IT security concepts are explained in clear, simple and even agreeable ways.

”Secrets and Lies: Digital Security in a Networked World”, Bruce Schneier – Ed Wiley

Schneier is one of the best disseminators of IT security around at the moment. As well as his IT security blog he has published several books where he treats in a simple way such subjects as risk, system protection, cryptography and even society’s own trust base. All his books are interesting but “Secrets and lies” is the best. If your boss only has time to read one security book, let it be this one.

”The Code book”, Simon Singh – Ed. Anchor

If there’s one field of IT security that’s particularly complicated that’s cryptography (I have the theory that “public key cryptography can only be understood the third time it’s explained”). However, Singh does a great job of perfectly explaining the most complex concepts of cryptography, all based on historic moments and full of anecdotes. A wondrous book.

“Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon”, Kim Zetter – Ed Crown

Stuxnet is considered by many to be the first act in the cyberwarfare in all senses: intention, sophistication and complexity are words that spring to mind when we think about a malware that, possibly, has opened Pandora’s box and without doubt will be studied in future times. Zetter is able to tell us how it was detected, analyzed and eradicated in such a pleasant almost addictive way and his story becomes a kind of techno thriller.

“Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door” – Brian Krebs, Ed. Sourcebooks

Krebs is possibly the most famous journalist specialized in IT security in the world. From blog“>his blog he analyses all the most important IT security news critically but clearly. His book is a complete guide to cybercrime, telling us, with all the inside details, the sub world of IT crime from spammers to how they launder the money they make.

“The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers” – Kevin Mitnick & William Simon, Ed. Wiley

Kevin Mitnick (aka “The Condor”) is one of the better known hackers in history, being especially famous for his mastery of social engineering (or as he calls it, “hacking people”). In his book, based on his own stories and those of other hackers from the time, he tells how to overcome several different security systems with few or no technicisms. Applying lateral thinking is very interesting and how they attack certain problems jumping security in sometimes dumb but very effective ways.

“Inside cyberwarfare” – Jeffrey Carr, Ed O’Reilly

Cyberwarfare, cyberespionage, cybercrime… However tightly we close our eyes, they’re still going to be there. Carr makes a very complete list of problems we can find in the Internet, concentrating on how far different countries are capable of cyberwarfare, as well as the different scenarios and technologies to use. Although Carr is analytical and clear, running from trying to panic people, the fear it puts into you when you read it is … upsetting.

There are plenty more “simple” books talking about IT security, but these are the ones I think most representative. What about you? Do you have a bedside book to teach non-technicians about IT security? Share it!