Monday, March 30

Older TOR Research Paper - Privacy and Security Study

I stumbled across an older research paper from the University of Colorado discussing the traffic patterns for data flowing into and out of the TOR network. Very interesting read, and I like the inventive methods for detecting "sniffing" exit nodes, although I must say that anyone with a bit of knowledge regarding how to quietly listen using TCPdump -n.

Thursday, March 26

Securing OSX - Apple's Leopard Security Guide

Worried about the default configuration of Leopard OSX 10.5? Take a read through Apple's own security configuration guide. This guide covers the installation to advanced configuration options including turning off hardware support for USB, Bluetooth, Video, Wireless, etc for the most paranoid out there.

Mac users can also look forward to getting more advanced security features as part of the 10.6 release of OSX-Snow Leopard you'll be glad to know that rumors point to modern security features like enhanced ASLR with 64bit memory space, and full NX support.

Charlie Miller - Toms Hardware Exclusive

Tom's Hardware has posted an excellent interview with Charlie Miller who was successful at hacking a fully patched OSX box at this year's CanSecWest. Here is the interview. Very insightful answers to the questions.

Wednesday, March 25

SmartPhone Pwn2Own Results Reflect Security of the Device?

Since the CanSecWest conference last week a few people on the net have been reporting (Gizmodo, Slashdot, Engadget) that because none of the smartphone platforms were compromised (I think there was only a single attempt if I heard right) and that these devices must be inherently secure or a lot harder to hack than Safari and the rest of the browser crew.

After hanging out with a few of the researchers at the conference, and witnessing first-hand some of the technical prowess they possess, it seems a little strange to me that the security of these handsets pose a challenge to these people.

Adding to my skeptisim is the fact that many of the researchers at the conference were supporting the stance of "no more free bugs". Which I support - as there is a very real thriving underground economy for bugs and exploits - and researchers deserve to get compensated for the knowledge and expertice, not to mention that the pwn2own contest rules sign-over ownership of the bug to TippingPoint (ZDI) for basically the cost of the hardware plus 10K.

My theory on why the smartphones survived the pwn2own ordeal is not that they are uber-secure, but that the researchers know that the bugs they have for them (and based on what these guys can do on platforms that have been secured for years they DO have them) felt that the compensation that they were being offered does not even come close to the value the bugs have to other potential buyers and future uses.

I would argue that bugs on these platforms are much more valuable than say a browser exploit, or Vista hack, as taking control of a smartphone with its advanced functionality, personal connection to the owner and lack of security awareness for the platform.

Anyway, my little theory on smartphone security.

Monday, March 23

A few more details regarding the peristent BIOS infection

If you were lucky enough to attend this year's CanSecWest conference than you probably sat through Anibal Sacco and Alfredo Ortega's talk on the BIOS infection, and how this would persist even through a hard-drive wipe / operating system reinstall. These guys are extremely bright and are pushing hard at the edge of security research.

The slideshow published by Core Security, provides the overview, which I'll summarize here with what I can remember of the technology and tools used to enable the hack shown at the conference.

First is getting a copy of a BIOS to hack. There are two options, and one which made the researcher's lives easier, VMware supplies both a generic "virtual" BIOS and a debugger which makes testing and developing the patches easier. A generic tool also exists which they have created to retrive, modify and reflash the BIOS based on previous work by pinczakko.

The second thing talked about is the structure of the BIOS which gets executed by the CPU when the computer first boots, and the operating system has not yet loaded. The whole point of describing this structure is that BIOS structure differ between different manufacturers and models of motherboards, and these differences make it difficult to predict where to make certain changes. The researchers found that almost all modern BIOS versions however use the identical decompression utility used to expand other pieces of code in the BIOS for devices such as video cards, north and south bridges, etc. This code is easy to find using pattern matching in the BIOS. Once this section of code is found, it can be patched with a different decompression utility, making the hack possible. The other cool thing, if I'm not mistaken, about the decompression utility is that it is OS independent meaning that it will run on multiple CPU architectures (x86, AMD64, etc).

One of the key features of the BIOS is having access to the computer's hardware before the operating system, which makes doing things like patching hard disk bytes possible. Once just has to know what to search for (password files, ini files, etc) and changes can be made directly.

They also hint at being able to do other things with the code, like utilizing, accessing, modifying other devices which are interfaced with at boot time (video, ethernet, RAID, etc). This is cool because one of the things that loads in most modern BIOS is netboot or Preboot Execution Environment (PXE). Imagine that as the PC boots that a network stack is enabled, a malicious site is contacted for updated code, and additional hacks performed as desired, seems like the ultimate, very-hard to detect rootkit.

Even more concerning would be the creation of BIOS resident blue-pill type hypervisor.

UPDATE: Alfredo has informed me that the did not develop CoreBoot, they use the great opensource tools found here. Core Security developed their own toolset for these tasks CoreBoot. This project contains the code necessary to flash, patch and calculate the right checksums for the BIOS to work properly. They have not posted this on their public site, and am not sure if they intend to.

*Very cool stuff indeed.*

Friday, March 20

PII Guide Draft from NIST - SP800-122

SP800-122 - is a relatively new draft guideline regarding the protection of confidentiality related to personal information. Check it out.

Thursday, March 19

Update from CanSecWest

So most of the way through the second day of the conference there have been some really interesting topics. Here is a list of the top ones for me:

Unicode vulnerabilities - Although it was cut short due to running over time, Chris Weber, from Casaba Security gave an excellent description of a large number of unicode issues which plague web applications. His favorite - BOM.

Sniffing Keystrokes - What a nice change in pace - the two Italians put on quite a show regarding the use of two side channel attacks on keystrokes. One regarding the electrical noise that poorly shielded PS2 connectors, and the other by recording and analyzing vibrations from typing on laptops by using cheap lasers!

Chinese Hacking Culture - Wow, what a great opportunity to hear from a security professional working inside the hacker community in China! Excellent talk, and cudos to ICBM for getting the message across and even answering questions with a significant language barrier.

More later.

Monday, March 16

Updates from CanSecWest

I am attending CanSecWest this week in Vancouver, British Columbia, and will be updating my blog frequently to recap some of the high-lights of the event. Monday will be pretty slow as people make it into town and get settled.

Tuesday, March 10

Prioritizing PCI Compliance Activity

In new guidance offered by the PCI Security Standards Council, a checklist has been provided to assist organizations with focusing on the important issues first, and spending time where the greatest risks exist. This is very useful for organizations with limited funding and resources.