SecuraBit Episode 80: Our 8080 Episode

SecuraBit Episode 80:  Our 8080 Episode
April 20, 2011

Hosts:
Anthony Gartner – @anthonygartner http://anthonygartner.com
Christopher Mills – @thechrisam
Andrew Borel –  @andrew_secbit
Tony Huffman – @myne_us
Dan Mitchell – @danmitchell

Guests:
int80 – @dualcoremusic
DualcoreMusic

General topics:
http://dualcoremusic.com/nerdcore/
http://www.youtube.com/watch?v=CMNry4PE93Y

NEWS:

Patch Tuesday April 2011 64 patched:
http://www.microsoft.com/technet/security/current.aspx
http://isc.sans.edu/diary.html?date=2011-04-11

Oracle Critical Patch Update Advisory – April 2011
http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html

Verizon 2011 Data Breach Report
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf

Barracuda
http://www.thetechherald.com/article.php/201115/7044/Malaysian-group-hits-Barracuda-Networks-Update?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+SecurityBloggersNetwork+%28Security+Bloggers+Network%29
http://blog.barracuda.com/pmblog/index.php/2011/04/12/waf-importance/
http://www.securecomputing.net.au/News/254601,barracuda-hack-shows-importance-of-defenceindepth.aspx?utm_source=twitterfeed&utm_medium=twitter
http://www.flyingpenguin.com/?p=11513
“Starting Saturday night at approximately 5pm Pacific time, an automated script began crawling our Web site in search of unvalidated parameters.  After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market.  As with many ancillary scripts common to Web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees.  The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later.  We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.”

Texas
http://www.txsafeguard.org/
http://blogs.chron.com/texaspolitics/archives/2011/04/personal_inform.html
“Personal information of about 3.5 million Texans — including names, mailing addresses and Social Security numbers — was posted on a publicly accessible server at the state comptroller’s office, much of it for more than a year, Comptroller Susan Combs said.”

Michigan Police taking your phones
http://www.thenewspaper.com/news/34/3458.asp
http://www.geekosystem.com/cellebrite-cellphone-hacker/
“The American Civil Liberties Union (ACLU) is currently engaged in a war of words and requests for information on a device used by the Michigan state police that can extract information from cellphones. The device, which has reportedly been in use since at least 2008, is apparently being used by the police during minor traffic violations.”

WordPress
http://en.blog.wordpress.com/2011/04/13/security/
http://newenterprise.allthingsd.com/20110413/wordpress-com-suffers-security-breach/?mod=ATD_rss&utm_source=twitterfeed&utm_medium=twitter
http://threatpost.com/en_us/blogs/wordpress-hacked-source-code-stolen-041311

Georgian woman cuts off web access to whole of Armenia
http://www.guardian.co.uk/world/2011/apr/06/georgian-woman-cuts-web-access

Hacker Group Changes Millions of Passwords to “password”; Only 38% of Users Notice
http://www.f-secure.com/weblog/archives/00002134.html
“Passwords from over 3,000,000 user accounts were apparently set to “password” late last night in a wide-spread hack that affected hundreds of news, retail and Web 2.0 sites. Most affected users are completely unaware of the attack.”

Quick Mentions:
FBI take down botnet
http://threatpost.com/en_us/blogs/doj-shuts-down-botnet-disables-infected-systems-041411
Facebook adds 2 factor
http://threatpost.com/en_us/blogs/facebook-adds-two-factor-authentication-041911
Flash 0 day:
http://www.adobe.com/software/flash/about/
Anything below version 10.2.153.1 is vulnerable

Upcoming events
CEIC Orlando (15 – 18 May 2011)
#BSidesROC Rochester, NY (21 May 2011)
#BSidesDetroit (3 – 4 Jun 2011)
#BSidesStJohns St. John’s, NL (10 Jun 2011)
#BSidesCT Meriden, CT (11 Jun 2011)
FIRST Austria (12 – 17 June 2011)
#BSidesVienna(18 June 2011)
Toorcon (18 – 19 June 2011)
#BSidesLasVegas (3-4 August 2011)
BlackHat Vegas (3 – 4 August 2011)
DEFCON 19 (4 – 7 August 2011)
#BSidesLA Los Angeles, CA (18 – 19 August 2011)
#BSidesMO(21 Oct 2011)
#BSidesNewDelhi (22 – 23 October 2011)
VB Barcelona October 2011

Links:
http://www.securabit.com
http://dualcoremusic.com/nerdcore/

Chat with us on IRC at irc.freenode.net #securabit
iTunes Podcast – http://itunes.apple.com/us/podcast/securabit/id280048405
iPhone App Now Available – http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8

What features do you want added to our website?

We already have a blog aggregation that we host at planet.securabit.com and our new exploit developer’s corner. There is also a guest form on our contact page, so if you’re interested in being on the show or doing an interview of any sort, please fill that out!

What else do you want us to have? Perhaps bringing back the forums or introducing a mailing list? Challenges? Pictures of cats with lockpicks?  Please leave comments!

Please note, if you want us to revive our forums, we’re going to conscript you into slave labor to admin them. Thanks 🙂

ThotCon and Hacking Tractors

This past weekend our newest SecuraBit co-host Dan Mitchell got a chance to attend Thotcon, a non-profit, non-commercial hacking conference held in the “Windy City”.  Here is what Dan had to say:

The conference benefits from strong support by a vibrant local hacking community and a nice mix of infosec professionals and underground hackers alike. I was impressed by the quality of the presentations and the amount of knowledge and information I was able to condense into my brain in just 10 short hours. On the topic of “time”, the conference kicked off with a most excellent presentation called “pwning time” by Mark Hardy. Mark, also known for his outstanding DEFCON presentation “A Hacker looks at 50” is a veteran in the industry and somebody who personifies the true “hacking” spirit. Mark’s presentation was ultimately a bevy of wisdom on how we can better manage our time and figure out “what we want to be when we grow up”. I recommend checking out what he has to say, it is truly inspirational. By far my favorite presentation was given by Chris Roberts and Jesse Diekman called “Planes, Trains and Automobiles”. It was during this presentation that I was introduced to “Tractor Jacking” i.e. Chris and Jesses’s successful attempt at remotely hacking into the OS of large industrial tracktors and taking them for a spin.  They also demonstrated how they where able to stand on a bridge and wirelessly hack into the OS (AUTOSAR) of passerby cars and do everything from disabling the ABS to grabbing and reading sensitive configuration files. The presentation was simultaneously frighting and hilarious and served as a reminder that a the vulnerability landscape extends far beyond mobile devices, cloud services, desktops and servers.

Dan had the opportunity to speak personally with Chris after his presentation and we will hopefully be arranging to get him on the show soon. All of the presentations will be available on the ThotCon website in the near future. If you are looking for a unique hacker con, one that is different from the run of mill cons we see every year, ThotCon is definitely worth checking out.

Gigantic Patch Tuesday!

Any of you that have a hand in the patching systems cookie jar are probably reaching for that 4th or 5th cup of coffee by now.  Microsoft put put 17 bulletins covering 64 security fixes today in what is the largest number of patches dropped on a single day.

SANS has excellent coverage as always.

Exploit Developer’s Corner: Mr_me and Aurora DEP bypass

Exploit code: aurora-ie7-dep-bypass (WARNING: AV may report as malware)

Myne-us: Hello, This is the first interview for exploit developers corner on securabit and we are honored to have mr_me from net-ninja.net with us today. Hello mr_me how are you today?

Mr_me: Hello, thank you for the warm welcome I am good thanks and yourself?

Myne-us: doing great 🙂

Myne-us: so how long have you been doing exploit development?

Mr_me: I started exploit development approximately a year and a half ago now

Myne-us: In that time you have provided a large number of proof of concepts for everyone. If you visit Mr_me EDB you will see over last year and a half mr_me has been very busy

Myne-us: what got you started in exploit development?

Mr_me: ahh yes, well I got started from taking Offensive Securities backtrack spin class “OSCP”. Once I learn’t the basics of what debugging a stack overflow was I became hooked and it became like an obsession for me.

Mr_me: I generally provide working exploit code or PoC’s so that maybe other researchers can share ideas and thus, we heighten our knowledge of software security.

Myne-us: sounds great, an excellent course. So today we are going to talk about your revision of the aurora exploit that has DEP bypass. This is the famous aurora attack that hit Google in 2010.

Myne-us: So lets start out with how did you discover where the vulnerability is in IE to build this POC (proof of concept).

Mr_me: The vulnerability was discovered in the wild by an unknown person, I began with a blank canvas of a simple crash where the virtual function table is copied over from the ESI register

Myne-us: did you have a POC at the time you wrote this or did you have to dig for it?

Mr_me: There was a public PoC crash and exploit, however I re-engineered it to perform a dep bypass

Myne-us: So the DEP bypass causes this exploit to work in more modern systems where the execution of malicous code is denied, DEP wikipedia. So because you were able to re-engineer this exploit to work in this way, pentesters are now able to use this in a pentest with a reliable protection bypass.

Mr_me: exactly

Myne-us: So can you give us the mile high overview of the exploit then we will dig deeper.

Mr_me: So basically the concept is to inject your shellcode into the heap through a heap spray, load an object with a pointer to the shellcode, delete that object, call the object through a virtual function which directs us to our shellcode.

Mr_me: So during a pentest I had a hardened environment and had to demonstrate that vulnerabilities were still a critical security issue.

Myne-us: Ok so lets break this down into smaller chunks so first heap spray, can you give an explanation of why you used Heap Spray Wikipedia

Mr_me: ok so the reason why the heap spray was used was to spray enough heap blocks to be able to find a reliable location for the call to the shellcode later on.

Mr_me: By doing this, I can force the windows heap manager to allocate multiple chunks of heap data containing our shellcode at a predictable address

Mr_me: With a decent spray and a consistent allocation size, an address that points to our shellcode is going to be highly accurate.

Myne-us: and in exploit world that is very important. Reliability means testers do not crash your systems by accessing incorrect parts of memory.

Mr_me: exactly

Myne-us: What are some of the biggest challenges you came by when writing this ?

Mr_me: well reliability, and hitting the correct location in the heap for my ROP code. Because the DEP bypass relies on pointers in memory, accuracy is a must.

Mr_me: If the return address was one byte off, the exploit will fail (no room for a sled)

Mr_me: Additionally, finding the correct gadgets and ensuring they are reliable is the second biggest hurdle. I had to ensure that the windows library that I choose, was not patched too often by Microsoft

Myne-us: ROP return-oriented programming Zynamics introduction to ROP is a popular technique used to bypass DEP and jump to alternate memory locations by using code that already exists in memory. This basically allows you to use what the developer gave you to build out system calls to bypass DEP. Some challenges in ROP can be finding reliable addresses to use for your ROP gadgets and finding libraries that do not use ASLR ASLR wikipedia.

Myne-us: So how did you get a reliable address loaded to jump to in memory for your shellcode and what ROP techniques did you use?

Mr_me: The technologies are what I call complimentary in operation. ASLR will prevent you from using return oriented techniques which is often needed to bypass DEP.

Mr_me: In my case I was presenting the attack under an environment where ASLR was not a problem, Windows XP SP3 does not have ASLR enable default.

Mr_me: However, if I had the restrictions of ASLR, I would be forced to possibly use a third party DLL or the common mscorie.dll from the .NET Framework version 2 which is installed by default on Windows 7

Mr_me: Then I would have fixed address locations that I could use to develop a ROP payload and bypass ASLR & DEP in a single shot

Myne-us: This is a very nice proof of concept for the aurora attack that shows how using multiple development concepts can make a reliable exploit. This version mr_me wrote is going to be released here on the securabit site for readers to learn from and take notes.

Myne-us: What are your goals in exploit development?

Mr_me: Primarily it is to learn, I like to learn how software will behave a certain way, or how memory will work based on my input.

Mr_me: In terms of outcomes, i like to ensure that I have a reliable exploit and that will attack many technology layers if required.

Myne-us: What do we have to look forward to from you in the future?

Mr_me: Well I will continue my own learning curve, (its steep i promise) and continue to share knowledge where I can.

Mr_me: Quite possibly I will share some of my own ideas for bypassing certain mitigation in the near future

Mr_me: but I have to make it to immunities master class first!

Myne-us: Sounds great and if you want to find out more information on mr_me you can always visit net-ninja.net and to see his work in action you can view his edb page at Mr_me EDB page

Myne-us: Any closing remarks or anything you would like to promote?

Mr_me: Thanks for having me aboard

Mr_me: Just like to say thanks to everyone at securabit and everyone that has contributed to helping me learn these techniques.

Myne-us: thank you for being on 🙂

SecuraBit Episode 79: Back to the basics with Marcus Carey!

SecuraBit Episode 79:  Back to the basics with Marcus Carey!
April 6, 2011

Hosts:
Christopher Mills – @thechrisam
Jason Mueller – @securabit_jay
Tony Huffman – @myne_us

Guests:
Marcus J Carey- @iFail
http://hackersforcharity.org/

General topics:

NEWS:
Epsilon:
http://www.pcworld.com/businesscenter/article/224192/epsilon_data_breach_expect_a_surge_in_spear_phishing_attacks.html
http://www.eweek.com/c/a/Security/Epsilon-Data-Breach-Highlights-Cloud-Computing-Security-Concerns-637161/
http://threatpost.com/en_us/blogs/list-companies-hit-epsilon-breach-040511
https://threatpost.com/en_us/blogs/epsilon-data-breach-expands-include-capital-one-disney-others-040411
http://www.epsilon.com/News%20&%20Events/Press_Releases_2011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3

“On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway,” the statement said.

LizaMoon:
http://threatpost.com/en_us/blogs/counterspin-lizamoon-web-attacks-no-big-deal-040511
In a post on Cisco’s security blog, senior security researcher Mary Landesman said that data from the company’s ScanSafe Web security infrastructure suggests that just over 1,000 Web domains have been compromised using the SQL injection attack, not the 500,000 to 1.5 million cited in published reports.

https://threatpost.com/en_us/blogs/widespread-lizamoon-web-attacks-push-rogue-antivirus-040111
“Websense researchers wrote on Thursday that a Google search for Web sites hosting the malicious URLs identified over 1.5 million Web sites hosting the code”

Pandora.com data leak:
http://threatpost.com/en_us/blogs/pandora-mobile-app-transmits-gobs-personal-data-040611?utm_source=Home+Page&utm_medium=Top+Graphic+Bar&utm_campaign=Position+3
“The data included both the owner’s GPS location and tidbits the owners gender, birthday and postal code information. There was evidence that the app attempted to provide continuous location monitoring – which would tell advertisers not just where the user accessed the application from, but also allow them to track that user’s movement over time. “

RSA attack:
http://threatpost.com/en_us/blogs/rsa-securid-attack-was-phishing-excel-spreadsheet-040111
“”The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read ‘2011 Recruitment Plan,” Uri Rivner, head of new technologies in the identity protection division of RSA wrote in a post on the attack”
http://www.nsslabs.com/research/analytical-brief-rsa-breach.html

¾ Energy Firms Had Data Breach over last year:
http://threatpost.com/en_us/blogs/study-three-four-energy-firms-had-data-breach-last-year-040511
Long perceived to be beyond the attention of hackers, energy firms and utilities now report that they are being targeted. In the Ponemon study, 76% of the IT security staff interviewed reported that their organization had experienced “one or more data breaches” in the last 12 months. A similar number – 69% – said they felt a data breach was likely to occur in the next 12 months, Ponemon said.

Comodo what really happened:
https://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311
http://pastebin.com/uSdKNDN5
“ I found out that TrustDll.dll takes care of signing. It was coded in C#.
Simply I decompiled it and I found username/password of their GeoTrust and Comodo reseller account. “

FBI asks for help on cracking code:
http://www.h-online.com/security/news/item/FBI-asks-for-help-cracking-a-code-in-unsolved-murder-case-1220007.html

Other Stories:
http://www.techdirt.com/articles/20110401/13241213732/exploit-hadopi-site-turns-it-into-pirate-bay-supporter.shtml
http://news.softpedia.com/news/Google-Chrome-to-Block-Malicious-Downloads-193386.shtml

Upcoming events:
ThotCon (15 Apr 2011)
#BSidesChicago (16 – 17 Apr 2011)
#BSides London, (20 Apr 2011)
CEIC Orlando (15 – 18 May 2011)
#BSidesROC Rochester, NY (21 May 2011)
#BSidesDetroit (3 – 4 Jun 2011)
#BSidesStJohns St. John’s, NL (10 Jun 2011)
#BSidesCT Meriden, CT (11 Jun 2011)
FIRST Austria (12 – 17 June 2011)
#BSidesVienna(18 June 2011)
Toorcon (18 – 19 June 2011)
#BSidesLasVegas (3-4 August 2011)
BlackHat Vegas (3 – 4 August 2011)
DEFCON 19 (4 – 7 August 2011)
#BSidesLA Los Angeles, CA (18 – 19 August 2011)
#BSidesMO(21 Oct 2011)
#BSidesNewDelhi (22 – 23 October 2011)
VB Barcelona October 2011

Links:
http://www.securabit.com
Chat with us on IRC at irc.freenode.net #securabit
iTunes Podcast – http://itunes.apple.com/us/podcast/securabit/id280048405
iPhone App Now Available – http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8


Let the phishing begin!

If you stay in hotels, have a bank account or credit card, or shop (online, from your TV or good old fashioned brick and mortar), there’s a good chance you will be the proud new owner of some data breach notification emails. Yay.

Last week Epsilon Data Management notified its customers of a data breach. In turn it’s Epsilon’s customers, including hotel chains, banks, retail stores, etc. (see the Krebs on Security link below for a more complete list) are now notifying their customers.

Here is some great coverage, as well as possible implications and recommendations if your organization may be sharing data with third parties:

Krebs on Security: Epsilon Breach Raises Specter of Spear Phishing

CAUCE: Epsilon Interactive breach the Fukushima of the Email Industry

SANS Internet Storm Center: When your service provider has a breach

Email below from Best Buy Reward Zone:

__________________________________________________Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:

http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.

Sincerely,

Barry Judge

Executive Vice President & Chief Marketing Officer

Best Buy

__________________________________________________

We feel better now knowing “the only information that may have been obtained was your email address and that the accessed files did not include any other information.”  We’re doomed if we need to rely on Geek Squad to help prevent us from future attacks.

sigh….

 

NetWitness acquired by EMC

As you may have already heard, our sponsor NetWitness has been acquired by EMC.  You can read the full press release here.

Nothing will change from a SecuraBit standpoint.  We will continue to deliver our content and this will all be transparent to that.

Thanks again for visiting and listening!