Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

October 04 2014

raistlin
16:19
How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use onlywhen a court has approved a search warrant.
Compromise needed on smartphone encryption - The Washington Post
Tags: idiocy

September 30 2014

raistlin
14:33

Quick summary on ShellShocker

This post contains no original research but just a few links and info on the ShellShocker bug. I put it together to have a handy reference for friends & co., feel free to share.

A summary, along with test cases and info:

Attacks going on in the wild:

- Multiple reports of IP addresses scanning for the vuln with consistent user agent: User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138. 

Request: "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0"
Host: -
UA: "() { :;}; /bin/ping -c 1 198.101.206.138"

Originally this was by Graham at Errata Security (read here) but he has not been scanning for days, so if you still see it, that's not good. 
Also, Robert's scanner is polite:
IP: 209.126.230.72
Request: "GET / HTTP/1.0 "
Host: "() { :; }; ping -c 11 209.126.230.74"
UA:  "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

The pattern above is being used in active exploitation (see also here), and that specific attack drops a bot that a source connected to past infection of routers (although this version is for x86).

July 04 2014

raistlin
09:56
Reposted bygafmanxxarabuscliffordbollabollakanikanischlachtorosevangelyndesiderdrittedonaudampfschifffahrtsgesellschaftankinavgpPachadisrecnigkhabarakhpetrogroeschtlraven

June 24 2014

raistlin
12:17
Reposted byflanel flanel

April 18 2014

raistlin
16:45
8059 eda2 500
Reposted byoskigurski

January 10 2014

raistlin
22:46
8631 7818 500
Reposted byimsickofthishitsnoopybox

November 02 2013

raistlin
14:37

The BadBIOS story and my comments

As I usually do when there's a developing story, here are some reflections and comments on the BadBIOS story.

If you don't know what I'm talking about, just do yourself a favor and start from here, which is a good summary as any. You can also read a different summary, complete with many of the tweets by Dragos, here.

First things first: Dragos Ruiu is a friend, a trusted peer, and if he comes public with something so wild and difficult to believe, I completely trust he has seen something. As all humans, Dragos might be wrong, he might be overestimating stuff, or whatever, but I don't doubt for a minute that he has (what he think is) proof of what he says.

I completely agree with the analysis Robert Graham has done here and share most of his observations. What has been described is all technically possible, but the combination of everything in such an evil and nasty set of malware (more on this in a minute) would be completely unheard of. If anybody shrugs and says he's seen stuff like this before, please waterboard him until he says where.

I would like to share these useful observation on what BIOS can/cannot do. However, I would respectfully disagree with the conclusion that what Dragos is seeing cannot be there. We know that malware and rootkits can be composed by multiple components, and the BIOS component might only be responsible for a few of the reported behaviors. We simply have to wait for more details and samples to be provided.

It should be noted that Igor Skochinsky, a well respected malware reverser, analyzed some samples provided and believes them to be malware free.

In conclusion: I completely respect and trust Dragos. I do believe he saw something complex and behaving misteriously. I think we are missing a lot of technical details still, and I look forward to release of malware samples, at least in the usual trusted communities for malware analysis.
Tags: BadBIOS
Reposted byunskilled unskilled

October 20 2013

raistlin
22:17

September 23 2013

raistlin
19:40

August 07 2013

raistlin
21:55

A quick summary on the "0-day against Tor" brouhauha

It was recently announced that "the FBI" had apparently used a "0-day" exploit against people using Tor, with subsequent explosions of comments from the usual privacy advocates.

While I'm all for privacy advocacy, at times we shouldn't let our preconceived notions get the better of us. So let's look at the available data here.

On Aug. 4th the Tor people were advised of something gone awry. Hidden services from an organization called "Freedom Hosting" were unreachable, and apparently, someone had exploited the software used on them to deploy this malicious Javascript in the web pages it delivered to users. An advisory was released shortly thereafter. 

Now, Freedom Hosting services include TorMail (a very secure anonymous email operation); hacking and fraud forums such as HackBB; money laundering operations; the Hidden Wiki (sort of a Dark Net wikipedia...); and virtually all of the most popular child pornography websites on the planet. A Freedom Hosting account cost a one time fee of $5, offered unlimited space and bandwidth, an onion domain, PHP and MySQL support, FTP access, and even backups (!). A large number of hidden websites were hosted by Freedom Hosting, so it's easy to see how the "attack against Tor users" generalization was borne. 

By analyzing the code (see the excellent writeups here and here) we can observe a number of things.

First of all, this was an attack exploiting a known  vulnerability in an older version of the Firefox JavaScript engine. Specifically, this older version was present in some of the Tor Browser Bundle (TBB) versions. TBB includes Firefox plus some privacy patches.

For the sake of documentation, I will note that this was fixed in Firefox 17.0.7 ESR, and in TBB 2.3.25-10 (plus several of the alphas and the betas). Fixes were available for TBB since June 26th.

So, whoever was affected after June 26th, was affected because they didn't patch their software, this was no zero-day by the time this attack came to light.

Additionally, the exploit was targeted to Windows users, while the Firefox vulnerability is cross-platform.

What the payload does is it connects to 65.222.202.54:80 and sends an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash.

So, what happened is that through compromising one or more hidden services, the unknown attacker collected at that IP address a list of the vulnerable users that accessed that/those services.

The payload does not open a backdoor or install other stuff, so this is very unlikely to be a black hat operation. It looks much more like a tracking mechanism, so it's not a bad guess that this is law enforcement or three-letter-agency activity. It actually sounds suspiciously like CIPAV, the FBI malware we know about from 2007.

The fact that 65.222.202.54 is in the Northern Virginia area, served by Verizon Business, only confirms this suspicion. Be aware that the suggestion that this IP is allocated to SAIC and previously in use by NSA turned out not to be correct.

Around the same time, a guy named Eric Marques was arrested and is awaiting extradition on FBI's request for facilitating the exchange of child porn. There's no direct link so far, but it's easy to believe that Marques is the founder of Freedom Hosting, and these two operations are related: However, we may wish to be cautious on saying this is what happened.

Interestingly, a couple of years back Anonymous did dismantle for a few hours Freedom Hosting (operation Darknet), under the lead of Sabu, back then an important member of Anonymous, afterwards disclosed as an FBI informant. Since his turning to informant is dated in August 2011 and the operation against Freedom Hosting is dated in October, there's been speculation of that being the first FBI led operation against the network. But this is really a wild shot in the dark.

We shouldn't also believe that child porn is such a large component of the Tor traffic. The curious reader may wish to check some statistics on what is actually hosted on the Dark Net.

What is pretty funny, or sad, are the suggestions given to Tor users to avoid falling into a similar trap in the future. Besides the obvious "keep up-to-date your software", another suggestion from fairy-crypto-lands is "disable Javascript" (try on your own and let me know how many websites you are able to browse after that) - and also, while you are at it, "css, svg, XML"... Other suggestions included "randomizing your MAC address" (I can see Windows users out there doing just that!), and "install various firewalls" (which in this case would have surely helped, right?).

Another suggestion was to use Tails, a live distribution of Linux with Tor and privacy software preinstalled. Which is precisely the best way to keep software up-to-date, right?

I think the Tor community should face, and have users face, the sad reality. It is impossible to safely use Tor to browse common websites without risking an attack of this kind (because it is basically impossible to use ordinary websites with Javascript-and-everything-else-disabled). This was terribly effective and used a month-old vulnerability. Just go figure what would happen with a zero-day. Also, while using Tails per se is a good suggestion (because in this way you compartmentalize privacy browsing from data and systems used in non-private browsing) this wouldn't really help in this scenario (except for the fact that this specific payload was Windows based, but there's no reason for that except the fact that a vast majority of the interesting subjects were using Windows).

If you have a real need to go anonymous, you need to implement good opsec, as my friend Grugq is demonstrating here (slides here).

July 17 2013

raistlin
10:53
9545 81c2 500
Reposted bytonietak tonietak

May 25 2013

raistlin
19:20
Reposted bywarlordiambabsipascalmhviceernilsfsupernele

April 15 2013

raistlin
12:12

AndroTotal is basically the Android equivalent of VirusTotal: Given a suspicious APK, it submits it to several unmodified Android antivirus apps running in an unmodified Android OS, and reports back to the caller with detailed information about what the antivirus detected, what network traffic is generated, what information is displayed on the screen and, most importantly, the label of the detected threats (if any).

Differently from VirusTotal, we scan the APKs using the original antivirus mobile apps installed and run on a genuine, unmodified Android OS image.

AndroTotal official blog
raistlin
12:11

AndroTotal - Home

A free service to scan APK (Android apps) for viruses

April 13 2013

raistlin
10:35

A comment on the "hacker attack" on beppegrillo.it

Since some American friends are asking, I thought I'd share a few comments on the purported hack attack on a political movement here in Italy (source in English).

First, a brief reconstruction of the events (and note I'm trying to stay clear of political nuances, which is costing me some effort). In a few days, the Italian parliament is set to vote for the elections of our next President. Italy is a parliamentary democracy, and the President is elected jointly by the houses of parliament and other representatives of the Regions. Since it's a 7-year mandate, this is a particularly important moment in the Italian system.

The political movement in question, Movimento 5 Stelle, launched a poll (not a vote, technically, as the vote takes place only as I mentioned before) among its members (and not an open poll) to indicate "names" of personalities they should propose as next president. This is important, as it deflates the practical value of attacking such a system for any external threats (except politically motivated ones, for demonstration purposes). The names coming out of this poll would just be an "indication", for the MPs of the movement, on how to vote during the actual elections. An indication because, of course, at some point they might have a choice between an agreement other candidates or irrelevance (since there's a qualified majority needed to elect the President).

Now, the facts we know are that:
1) the movement leader decided to stop the poll and start it over, due to a purported "hacker attack" which was "detected" and "solved".
2) the event was discovered by DNV (a certification entity, hired to ensure that the election process was not flawed). The certification body states an anomaly was discovered, namely that there were more votes than registered voters.
3) DNV is not in the business of information security, but of compliance. They discovered the event by analyzing the process and the data, and discovering implausible values.
4) Contrarily to what immediately said in 1), the successive versions of the story talk of a "sophisticated intruder" that "hid their traces" and of a non-identified first moment of access
5) The software is realized in house, is not open source, and the servers which host it are owned and managed by the PR agency which supports the leader of the movement (which is also, we believe, the author of the software, or has contracted the author).
6) A facebook group claimed the "attack" was just a matter of organized trolling, i.e. that they basically accessed the voting system without control due to a flaw in the process and in restricting access.

What is my personal opinion on this, founded on my experience?

I honestly don't know whether or not a willing attacker was behind this event (I take exception, in general, to calling that attacker "hacker", but this is another story). However, since the practical value of a hidden attack against such a system is close to zero (given that this is a poll completely under the control of the movement leadership, which can call it off at any time or mangle the results as they see fit), the only reasonable course for a politically motivated attacker would be to make the system fail visibly (say, a defacement). Since nothing like this happened, my opinion is that an attack from an external entity is very unlikely.

But regardless of this, my opinion is that, most likely, what happened was the result of badly designed and written software, realized by less-than-competent people. Open source software for polling is available, tried and true, and could have been used. Honestly, this is not rocket-science, either. Also, the process of registration for voting should be scrutinized as it is probably part of the issue.

Finally, my opinion is that a poll managed and run by a PR agency working for the leader of a movement, on closed systems and with a software that has been specifically developed for this, has very little to do with any form of voting. The sheer fact that they needed to hire a certification body (DNV) to give some proof that the process was not flawed (resulting in the boomerang of having to admit it was) is a demonstration of a basic flaw.

The movement under discussion hosts a number of technically savy people who could easily form a committee to manage and run a neutral technology platform for this kind of polling, or for internal debate. The fact that this does not happen, alone, casts serious doubts on anything that is done "online" with a closed platform.

The core issue here, and I'm really trying hard to stay clear of any political comment, is that this movement is trying to confuse online polling with real e-voting, and a blog with its comment with e-democracy. E-voting and the transformation of democracy in a more evolved form through the adequate use of technology is difficult, it cannot be realized in-house with closed processes by a bunch of incompetent folks who cannot even realize a functional polling system. 

E-voting, or e-democracy, entails deeply complex research issues such as voter/citizen identification, guarantee of vote secrecy, guarantee of anonymity coupled with ensuring authentication, crowdsourcing of the management of online discussions, possibility of open scrutiny of the process by voters and third parties... This is difficult, friends, more difficult than you can possibly believe. There's only a few handfuls of experts around the world who know how to do this, and surely they don't work for a marginal PR company in Italy.

The obvious snake oil sign here is the classical statement "Well, no system can be 100% secure". That's obviously true. But some system can be immediately identified as incredibly stupid, or at very least terribly boorish.
Reposted byobiwankesoze obiwankesoze

April 07 2013

raistlin
13:07
How true!!!!

April 02 2013

raistlin
17:53
Reposted bybarte9 barte9
raistlin
17:53

March 02 2013

raistlin
10:38

January 27 2013

raistlin
21:10
Reposted byTorZiraelzEveRphd-studies
Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.