Thursday, April 3, 2014

Malware Writers.

I am not used to report malware analysis made by "big security companies" since easy to find in planty of media. Linking such a reports to my blog is useless because many of my reders would probably read those feeds before my blog. However today I 'd like to share a pretty nice article written by Symantec titled: Simple njRAT Fuels Nascent Middle East Cybercrime Scene. The described Malware ("njRAT") is an  old and simple malware already well described in reports: 1009 and 1010 by General Dynamics. The malware could be taken back to hacker team called "STTEAM" (2013), one of the last born Middle East hacking teams. For the time being, the last malware' built and its own CandC could be find on the "official" njRat  website  (high risk of infection on that site). Underground sources assert one of the main .net developers behind njRat is called "Zehir" ( already known for a revisited version of the ancient "asp shell".

Image taken from here.

Beside technical notes -- if you are interested on "bits and bytes" regarding this specific  topic please refer to reports 1009 and 1010 by General Dynamics -- what is interesting on this malware is its geolocalization. It  has been developed in "middle east" and it is spreading on most of the Middle East and North Africa regions, including Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya as the images shows up. 
Quoting the Symantec report:
"The main reason for njRAT’s popularity in the Middle East and North Africa is a large online community providing support in the form of instructions and tutorials for the malware’s development. The malware’s author also appears to hail from the region. njRAT appears to have been written by a Kuwait-based individual who uses the Twitter handle @njq8. The account has been used to provide updates on when new versions of the malware are available to download."
I am deeply fascinated on the fast paradigm change of the malware distribution. Few years ago the malware writers would never let public his/her email address and/or his/her twitter account even if fake ones, nowadays malware writers let their signature on what they deliver without caring too much about identity protection. Thanks to their uncovered traces is possible to profile them such as: where they are from, which programming language they prefer, what malware they have already written, what is the favorite target, what websites they reads and so forth and so on. On my personal point of view this behavior is due to the last hiring fashion ( namely: hire a hacker!) which makes hacker heros. Lets think about it and how fast the malware world is growing up.  

Tuesday, April 1, 2014

Cloud Security: Infographics

In the last 2 years I've been working mostly on private companies. Since often the "computer security" is not on the company main business ( ... in fact, for many companies computer security is just a kind of "utility"... ) because belonging to a different, often even not digitalized, world, having a survey of what they think about "security" is always a welcomed help. The following infographic, made by PersecSys is a nice, coincise and good looking survey of what 130 security professionals from RSA conference think about Cloud Security in the companies they serve.

Cloud Security Opinion

Cloud Security graphic by PerspecSys

Saturday, March 8, 2014

Managing and Writing

Today I want to simply share on my diary a great picture of my working day (this picture is a screen capture of a double monitor running a progect in nodejs). This picture represents an amazing security project finally ready to the first public release and ...  the desire of writing "amazing code".

You will never have enough time to write the "perfect code" (whatever definition you are giving to "perfect code"), it doesn't care if you are working on Agile programming, Extreme programming, RAD (Rapid Application Development), waterfall, prototype development or sphiral development the time you have to build your amazing applications will be money driven a so, quite often, you will need to deal with timing issues.
But the great news is that nobody wants you to write the perfect code. What you have to do is to improve your code step-by-step and writing the best code for the time being.

Wednesday, February 12, 2014

When Fun Comes to Crypto

Today I found some notes on my desk abut the last Chaos Computing Club-Congress (CCC) in 2013. Since are pretty funny to me I decided to share them with you.
Researchers, as reported to 29C3, were able to collect over  3 Million certificates with their Public Key. So far nothing interesting at all...They were able to factorize 103 keys from the 3 Million collected by using the famous GCD Integer factorization Algorithm:

 Ok, again pretty standard process so far, right ? Now it comes the funny part of this story. Researchers found out that different prime numbers were repeatedly used as shared factors to build different keys over time !!! The following images represent the most common commonly shared factors:

OMG. Of course they are prime... and ... of course they are random... but come on! Seriously. ?!
Another clear example on how the reality does not fit to the theory. Thanks to such a gap (reality V.S theory) security researchers will always have to work for have a safe "cyber reality".

Here the video of the talk: (link to direct file)

Monday, January 6, 2014

Hacking through image: GIF turn

In one of my previous posts I described a way to hack through images. That time I showed how a valid BMP file could be a valid JS file as well, hiding Javascript operations. Today it's time to describe how this attack work with a more common web file format: .GIF. Ange commented on my previous post showing me out his great work on the topic. I recomend to have a look to his study (here). Following my quick 'n dirty python implementation on the technique.

The following  HTML page wants to parse a GIF file and a JavaScript file which happen to be the same file: 1.gif_malw.gif. Theoretically the file should be or a valid GIF file or a valid JavaScript file. Could it be a valid javacript and a valid image file at the same time ? The answer should be NO. But properly forging the file the answer is YES, it is. Let's assume to have the following HTML page.

Browsing this file you'll find out this result:

As you can see, both tags (img and script) are succesfully executed. The Image tag is showing the black GIF file and the script tag is doing its gret job by executing a JavaScript (alert('test')). How is it possible ? The following image show one detail about the dirty code who generates the  beautiful GIF file. 

This is not magic at all. This is just my implementation of the GIF parsing bug many libraries have. The idea behind this python code is to create a valid GIF header within \x2F\x2A (aka \*) and then close up the end of the image through a \x2A\x2F (aka *\). Before injecting the payload you might inject a simple expression like "=1;" or the most commonly used "=a;" in order to use all the GIF block as a variable. The following image shows the first part of a forget GIF header to exploit this weakness (click  to enlarge). 

After having injected the "padding" chars (in this case I call padding the " '=a;' characters", which are useful to JS interpreter) it's time to inject the real payload. The small script I've realized automizes this process and you might want to run it in a really easy way:
Run-it as: -i image.gif "alert(\"test\");"

Don't forget, you might want to use obfuscators to better hide your javascript like the following example:

python -i 2.gif "var _0x9c4c=[\"\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\",\"\x0A\",\"\x4F\x4B\"];var a=_0x9c4c[0];function MsgBox(_0xccb4x3){alert(_0xccb4x3+_0x9c4c[1]+a);} ;MsgBox(_0x9c4c[2]);"

If you wat to check and/or download the code click here.
Enjoy your new hackish tool !

Saturday, January 4, 2014

NSA Technology

In 4 weeks I received from five to seven emails (don't remember exactly the number) asking my opinion about NSA Leaks. It's "hard" to talk about the spying situation happening around us, so I wont express my personal opinion on it, but I am going to share some simple questions that come in my mind while thinking to it.

According to many sources (just a couple of them, here and here) NSA developed an arsenal of super secret electronic weapons able to spy computers, networks, routers, firewalls and so on.. But if you are an avid reader you'll probably notice that all those weapons are almast 10 years old. Le's, for instance, focus on the PICASSO GSM HANDSET. The following image is taken directly from the leaked PICASSO GSM HANDSET documents.
Those mobile phone used to describe the project are 2 generations old. They've been maned  beginning of 2000.  Why NSA want to use old mobile phone to describe a super advanced technology ? Maybe because the described technology has been developed almost 10 years ago..?

Again, let's focus on NIGHTSTAND Wireless Exploitation project. The following image is taken directly from the leaked NIGHTSTAND Wireless Exploitation. The PC you are seeing in the black box belongs to a "previous netbook PC era". The monitor size reminds pretty old technology (today modern PCs do not have anymore square 1:1 monitor). Nowadays they will probably use a tablet or, even better, a smartphone.

Again, let's focus on what is written in the following leaked document:
VALIDATOR is a small Trojan implant used as a back door agains a variety of targeted Windows box from Windows 98 through Windows Server 2003.
The following image shows the leaked VALIDATOR description:
 The question rising in my mind is pretty straight forward:

"If 10 years ago NSA owned such a technology, what could own right now ?"

Now, let's assume the NSA is one of the most powerful organization on SIGINT and/or one of the biggest organization in the world owning advanced technology. NSA is a secret agency. A secret agency is great in its job if it "remains secret". We know that almost every nation/state on the earth owns a secret agency. We also know that such a kind of technology is a reality (we do have proves, right ?).

"How can we assert that NSA is the best security agency in the world ?"
"Does that leaks come from NSA because it is not the best secret agency in the world ?"
If so, are there any other big secret agencies in the world even more powerful than NSA ? If so, what about the technology owned from the biggest and best secret agency in the workd ?

Those questions did not express any personal opinion, they are just doubts and questions still opened in my mind. If somebody of you has some kind of answers and/or wants to share their own thoughs, he is wery welcome (please add comments and not emails).

Sunday, December 29, 2013

Good Readings

During the past months I received, throught my blog, requests on what to read during winter Holidays. I decided to publish a little list on some of the books (yes, I wrote "some" and  not "all" ) that have been really useful for my carrer which I would totally suggest to everybody interested on such a field.

The following list is:  incomplete (by meaning I had to choose some of my favorite books due to time limit in post writing),"time depending" (by meaning that in few years from now the current titles could be changed due to new editions and/or the book might be outdated), and totally subjective (by meaning that I did not read all the "Sec Readings" out there, so there could be amazing books that I am not aware of). 

  1. Modern Operation Systems (Andrew S. Tanenbaum). This book will give you an entire vision on the complexity behind Operative Systems. It will give you practical examples on how to program them and how to build structured systems from "Ring 0 to Ring 3".  This is the basic reading to everybody interested on computer security.
  2. Computer Security: Art and Science (Matt Bishop). This book is considered as a milestone in Computer Security. Matt Bishop explains the basic security concepts and approaches (from definitions to criptography walking through security mechanisms) of computer security. This is the second step to everybody interested on such a field.
  3. Principles Of Concurrent And Distributed Programming (M. Ben-Ari). Understanding the cuncorrent and distribute programming could be quite  hard, but M.Ben-Ari , in my opinion, make it easy and very accessible. Nowadays many vulnerabilities are caused by poor implementation of concurrent principles. Understanding them would make you a better "security man".
  4. Penetration Testing and Network Defense (Whiteker and Newman). It might sound a little outdated (2005). But it really is not. Well, actually it is, if you consider the penetration testing "technicalities" they suggest, but from this book you wont take "technicalities" (technical details) you want to take the "method" they use. The approach they introduce in this book is still very actual.
  5. OSSTMM by ISECOM. This is one of the most famous methodologies used to perform security testing (no, I have not written penetration testing). If you feel the need to learn more about methodologies (why you will need methodologies ? You will need them once you will eventually called to manage a "Security/Hacking Team" ) you might find on my book ( "A design methodology for computer security testing" ) a good guide.
  1. The Web Application Hackers Handbook (Stuttard Pinto). This book covers a vaste area of web applications pen-test. It provides a "bite" of almost everything you might find on the web. It's a great starting point giving you all the weapons you need to get out firing. You will need further studies to become a real web tester pro.
  2. The Tangled Web (Zalewski). This book is most focused on web programmers, it covers many good practices and explains lots of basic concepts behind the web. If you need to write a Web App you want probably to have a quick look to it. If interested, have a look to my full review.
  3. Programming From the Ground Up (J. Barlett). Super boring, but really important. I personally have tried to read it as a book, but I failed. Indeed I used it as a manual from time to time.
  4. IDA PRO (Chris Eagle).  From 0 to whatever you need to know about Reversing Engineering. This would be a "cutting edge" book if you already have foundamentals on your "sholders".
  5. The Shellcoder's Handbook: Discovering and Exploiting Security Holes (C. Anley). Almost what you need to know to modern exploitation techniques. This book will give you all the sugar you need to be effective in the art of exploitation. 
  6. A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security (T. Klain).  A really good reading. It provides a lot of real examples of how Tobias discovered some pretty nasty vulnerabilities. If interested, have a look to my full review.
  7. Metasploit: The pentration Tester's Guide (D. Kennedy). When you need automatisms and you cannot afford a manual and specific testing this book provides a great detailed view on how to use one of the "de-facto standard" penetration tester tools.
  8. Practical Cryptography (Niels Ferguson and Bruce Schneier ). I did add to my list only one book on cryptography. I decided that one because it explains cryptography as  Engineer discipline and not as Mathematical science. This is foundamental for us who need to work in the hard real world rather then in mathematical abstractions.
Managing a Security/Hacking group:
  1. The Mythical Man-Month: Essays on Software Engineering, Anniversary Edition (Frederick P. Brooks Jr). When you will need to manage a group of super skilled people (Security Team/Hacking team), this book will be a great starting point.
  2. The Pragmatic Programmer: From Journeyman to Master (Andrew Hunt, David Thomas).This is the so called "ever green" book. Everybody should read it if you are a manager or not.
  3. Agile Software Development, Principles, Patterns, and Practices (Robert C. Marting). Even if in your practical life you will be using Extreme Programming as your main "testing" and/or "development" methodology, you should know how to guide a group of people into the Agile Software Development methodology, this book shows you well how to follow this way.
  4. Getting Things Done: The Art of Stress-Free Productivity (David Allen). Another best seller. No description need for the great book of David Allen.
  5. Impro: Improvisation and the Theatre (keith johnstone). When you will start to focus on people managing rather then machines you will learn that humans are way more complex then "stack pointers" or "spray the heap", you will need to do one thing you wont do as a "pragmatic programmer", you will need to improvise !
Do those books describe everything you need to know in order to be a great hacker/Security Engineer ? Unfortunately no, not at all. Those books are only a small part of what you will need to learn. But don't warry, you do not need to read more books .. what it makes the difference is the experience. So get out here and start to get practice.