Friday, June 22, 2012

Computer Security: Training and Education

Today I want to spend a little bit of time pointing out an important concept of computer security: the Education. I want literally cite the Security and Privacy's Guest Editors' introduction on what is education, what is the difference between training and education and why is so important on computer security .

As technology creators, providers, and users, we must answer significant questions to address these problems, for example:

How can we help individuals be good cybercitizens ? In particular, how can we give them a clear understanding of both cybersecurity issues and how their personal choices affect cybersecurity?

Can building an effective cyberworkforce help users understand their responsibilities online and with computer-based technologies ?

[...]

Some People are still thinking on why computer security is such an important topic, or why there is the need of having security online, or even worst, people who say they "don't believe on computer security" (whatever it means)... Well , I believe this Guest Ednitor's introduction should be a mandatory readying for every student and even for every "security skeptical " around the globe. It explains by using simple concepts and practical examples why computer security is such an important topic in the current world and why security education is even more important since could affect citizen behaviors.

 

Another great lesson comes from the distinction between education and training. Training refers to learning concrete skills for meeting specific, real-life goals in a clearly understood situation. By contrast, education focuses on understanding and knowledge, learners can associate principles and concepts, apply them to solve a variety of new problems, and evaluate those solutions' effectiveness .

This is another huge and quite delicate topic: training, often represented by private companies and private sectors VS educating, often represented by Universities and the entire academic world . Those two entities often in totally disagreement between them, share one of the most important topic related to computer security.


I do finally suggest this reading, even if it's not a technical one it offers great cornerstones to fully understand security education and security training: when they should occur, when and where one is the most useful an when and where the other one is needed.

 

Saturday, June 2, 2012

A great analysis post on Flame string encryption

Hi folks,

It's quite a long time since last post, I am sorry about that. I am in the middle of a quite long traveling period, so forgive me to slowing down a little bit my security posts. Today I d like to share an interesting Post written by "Spider Labs Anterior " regarding the string deobfuscator using IDAPython.

Yes, it is on Flame too.. I wouldn't write about Flame since everybody out here is talking about it, plus I had no time to personal analyze it, so unfortunately I have nothing to add to the enormous flock of posts on it :) (BTW this paper is high recommended ).

The author, Josh Grunzweig, shows his path to find out the obfuscating technique used in Flame. I think it is worth to keep in mind because perfect to didactic purposes. From IDA graph he reproduced the following code. Every analyst should do this step!! I often miss it and try to solve by patching the code or by pencil and paper, but doing in this way will save a lot of time in long term analysis. I collect his main analysis following.

The function above is taking the obfuscated String as a parameter, and checking the sixteenth byte to determine if it is null. This byte is acting as a Boolean value to tell the function if the String has already been decoded. In the event that this byte is not set to null, or 0x00, another function is called, and the sixteenth byte is set to 0x00. Finally, the result of String that was initially supplied as a variable, with an offset of +20, is returned. If I were a betting man, I’d suspect that the second function (named ‘deobfuscate() in the above Ruby code) is manipulating the data somehow. In order to find out, let’s investigate what is going on. If we look above, we can see that this new function is supplied two arguments—The 'obfuscated_string' variable with an offset of +20, as well as the eighteenth byte in 'obfuscated_string'. So this function appears to call a third function (last one I promise), and proceeds to subtract the resulting number from the specific character in the string before replacing it. So if we were looking at the first byte (0xA7), and the third function returned 0x82, we would get the following:0xA7 – 0x82 = 0x25 (“%”)

Great job Josh and thank you for sharing it !