Slashdot Mirror

Oh, they exist. You're right that they're not as widespread as regular ones, since the hardware and software world is much more diverse. But, they are there. For example, there was a talk at blackhat 2007 about them (slides). One interesting side part of that talk for me was the question of how to research a cell phone virus without risking infecting the production network. (The answer: one hell of a Farraday cage around the lab.)

Sure, the stack is non-executable. But what about the heap? http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Miller/BlackHat-Japan-08-Miller-Hacking-OSX.pdf What about ASLR? It just applies to library prebinding and is a weak implementation: http://www.laconicsecurity.com/aslr-leopard-versus-vista.html. OS X ASLR does not apply to the stack, heap, main, etc. Regardless, you're right about flash. It's a vuln magnet. But OSX may be the same once it reaches a critical market penetration.

The movie is still available: https://media.blackhat.com/bh-dc-09/video/Jagdale/blackhat-dc-09-jagdale-blindedbyflash.m4v

"Blinded by Flash: Widespread Security Risks Flash Developers Don't See"

From the presentations description:
"In this presentation I will examine the Flash framework and then delve into the Flash security model and the transitions it has undergone over the years. To explore the avenues of compromise in the security model, I will use a test Flash application and demonstrate various attack vectors including Cross-Site Request Forgery, data injection and script injection. During this demonstration, I will explain the associated threats in detail and discuss means to mitigate these threats. Even though the test application validates the attack surface, the question remains: how many applications actually deployed are vulnerable to these threats? I will answer this question by providing astonishing statistics about vulnerable, real world applications I was able to find using simple Google queries."

The pdf of her presentation is here:
https://www.blackhat.com/presentations/bh-dc/Jagdale/BlackHat-DC-09-Jagdale-Blinded-by-Flash.pdf

I thought I saw this kind of thing at Blackhat US 2006, as a browser expliot.

The difference is that it's "weaponized" now. We start patching, tracking and working on sigs when an expliot comes out, but the risk level really goes up when the threat is in the wild, and again when the expliot is packaged. I'm actually suprised that it's not a multi-vector threat, using maybe a spam or lured browser propagation. That would give the worm access to the protected interface.

That's what I thought until I read Moxie Marlinspike's paper, especially how one can create a valid certificate for say www.paypal.com as a leaf of an otherwise valid trust chain for another domain.
Unicode tricks are pretty scary too...

A lot of people are speculating what it all means.

How about just watching the talk and deciding for yourself?

https://media.blackhat.com/bh-dc-09/video/Marlinspike/blackhat-dc-09-marlinspike-slide.mov

Interview:
https://media.blackhat.com/bh-dc-09/blackhat-dc-09-marlinspike-interview.m4v

A lot of people are speculating what it all means.

How about just watching the talk and deciding for yourself?

https://media.blackhat.com/bh-dc-09/video/Marlinspike/blackhat-dc-09-marlinspike-slide.mov

Interview:
https://media.blackhat.com/bh-dc-09/blackhat-dc-09-marlinspike-interview.m4v

I watched the video presentation which another poster linked to. One you MITM the http session, you can proxy the SSL login page using a modified https url for which you do have a valid certificate. The users get a valid https page, only not for the domain they think it is, but the url deception is so slick it's hard to imagine anyone spotting it.

This is an improvement over the older version which worked in the way you described (and which BTW he found to be 100% effective in fooling people based on a limited trial on a TOR network - which is also scary).

The Skype protocol/encryption are only well known to the secret services. To us mere mortals, they're closed. People like Biondi/Descaux have gained some insight but by no means reverse-engineered the protocol.

I don't believe for a second they're only now starting to listen in on Skype calls. There's too much evidence that Skype already has a backdoor.

Apparently this only affects those who don't pay attention...nothing to see here.

Can you make the claim you are 100% vigilant 100% of the time?

It's more subtle than that. It takes away one of the biggest indicators that there is an SSL problem--the dialogs. Watch the presentation video. It's pretty cool. What Moxie shows is that often the indicators of SSL enabled and not enabled are practically non-existent. It's easy to see how most users, even tech savvy ones, could be fooled.

You mean the paper that explicitly concluded that "Skype was made by clever people" and "Good use of cryptography"?

Yes, it has weaknesses, but unless you get your victim to run a trojanized Skype (at which point they'd be screwed either way), it still seems reasonably secure. Oh, and of course you trust Skype Inc anyway, if you're running their binary.

That said, Skype is inherently scary, and I'd naturally advocate an open source, peer-reviewed system. I just get the feeling that many people misinterpreted that paper.

Wrong. User types "paypal.com" into their URL bar. Browser sends a request for http://paypal.com/. PayPal might automatically redirect to HTTPS (in fact it does, when I try it), but by then it's too late. A MITM can have already served up the fake page as HTTP, and few users will notice the difference.

Replying with a 302 to an http request or responding to an "https link click" is not encrypting everything.

But paypal.com does not have to reply with a 302 to the http request. Or better yet, we could all just strongly discourage using a redirect from http to https under any circumstances, and utterly ban https clickys in http (like the wachovia site). The latter concern is totally unforgivable. The user has to take it on faith that the POST is secure.

The .secure TLD doesn't sound like a terrible idea, but wouldn't it be easier to approach this from the browser? We could accommodate the the keyboard-averse by having some gui element for "secure" urls, that would behave differently than the normal url bar, i.e. prepend "https://" instead of "http://". On the server side, no more responding to http. Instead show a static page telling the user how to access the site properly.

Apologies if you've already read this, but here is the pdf from the conference.

One of the claims from the presentation (linked in TFA: https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf, PDF file) is "people don't type https:///" -- they reach SSL-enabled urls either by submitting a form (from non-SSL page!) or the result of HTTP redirect. And "that has made all the differences" according to the hacker.

Hmm. I usually reach them from a bookmark. Rather than a special TLD, why not simply a meta tag that ensures anyone bookmarking the page gets the 'S' in the bookmark, even if they came to the non-SSL homepage. I notice, for example, that my bookmark for PayPal says "https://www.paypal.com", even though I'm sure they're reachable via the usual http. My bank's bookmark did not have the 'S', but I just changed it and works fine with it -- it really should have just had it all along.

One of the claims from the presentation (linked in TFA: https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf, PDF file) is "people don't type https:///" -- they reach SSL-enabled urls either by submitting a form (from non-SSL page!) or the result of HTTP redirect. And "that has made all the differences" according to the hacker.

Maybe we need a special TLD for HTTPS-only traffic. Let's say ".s". For a given URL, if the hostname is of ".s" domain but the protocol part is not "https:" (or other secure protocols) then the URL is invalid by standard. A browser should be mandated to use HTTPS for such a host if the URL is given incomplete (e.g. user typing "example.s" rather than "https://example.s/" in the Awesome Bar). It should also fail to use a non-secure protocol even if it's available for a ".s" site during any phase of communication.

I don't think this idea is good enough but it's the first thing coming to my mind..

Also I'd like to know more about another exploit mentioned in the presentation.. the failure to check the "Basic Constraints" field of a SSL cert. Is Firefox vulnerable?

It looks like there are a couple of things, but their main one is a man-in-the-middle attack based on the user not paying attention to the browser's SSL flags. See the difference between page 61 and 62 of their presentation: https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

They show on page 69 how it looks once they substitute a lock image for the favicon (if they had wanted to be Extra Evil, they'd have given their fake favicon a blue background, which would have made firefox 3 look exactly like it was SSL protected, except for the S missing in the URL)

They then proceed to show how allowing unicode in the hostname continues to confuse and confound people. Register a cert for *.foo.com, then set up a hostname of www.google.com[unicodeslashlike]login[unicodeslashlike]blah[unicodeslashlike]blah[unicodeslashlike]blah.foo.com and presto, you have a valid certificate for a site that looks more or less like https://www.google.com/login/blah/blah/blah.foo.com, except that it's not hosted by google.

Basically all of these are attacks on the end user, what you do or don't do on the server won't change a thing.

While looking for informations on Code Green, I came accross this 2002 Black hat conference that discusses the possibility of back striking an attacker in the case of the Nimda worm epidemic. http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-mullen.pdf You may be interested by this presentation.

Quick note: This article is a spin off of what Eric had to say during the most recent Black Hat Webcast, where Jeremiah Grossman was talking about clickjacking and other related browser issues. Eric made a lot of sense talking about plug ins and addons being the cross platform low hanging fruit.

Listen and watch the webinar to hear what he had to say and keep everything in context:
http://w.on24.com/r.htm?e=122494&s=1&k=05ED21C1734D531D2D84CA56F4ADB0F2

Or download the .m4b audio file when we get it online next week here:
https://www.blackhat.com/html/webinars/webinars-index.html

Some of us aren't paranoid, but took a look at some of the suspicious things that Skype does and made an educated decision not to trust it.

Why not Skype

Just because you ask: I think some of us don't like a 12MB encrypted binary executable file running on our system that nobody except the creators know what it does.

There are ways:

http://www.blackhat.com/presentations/bh-dc-08/Krawetz/Whitepaper/bh-dc-08-krawetz-WP.pdf

You guess wrong, jackass.

Any more shilling you'd like to do today?

How To Impress Girls With Browser Memory Protection Bypasses.

Game over? Sounds more like "Gentlemen, start your engines."

You didn't open it did you?

See Bruce Dang.

I've heard it's witty and harmless...

I read a good presentation by people that had tried to disassemble Skype, and basically, Skype do so much to make it very, very difficult. Here's a PDF version of it.

If it was easy, someone would have done it by now, and made Gnype, don't you think?

It has been attempted. See "Silver Needle in the Skype" presentation at http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf -- The impression I got was that it was deliberately made difficult to understand by adding all sorts of checksums and encryption layers.

Physical memory analysis is an up and coming challenge for many law enforcement agencies. How can you guarantee that a suspect's computer was not infected by some bad memory-only malware? Current tools only address the hard drive and what it contains. There has been a lot of research into physical memory analysis over the past few years:

Rootkit.com: has been researching physical memory for years http://www.rootkit.com/newsread.php?newsid=130, but in a slightly different context (hiding vs finding).

BlackHat Talks:
http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf
http://www.blackhat.com/presentations/bh-usa-07/Butler_and_Kendall/Presentation/bh-usa-07-butler_and_kendall.pdf

Papers: http://www.stormingmedia.us/50/5037/A503754.html
FatKit: http://www.4tphi.net/fatkit/
Contests: The Digital Forensics Research Workshop is running a Challenge to see who can create the best linux physical memory analysis tool: http://dfrws.org/2008/challenge/index.shtml

Now the commercial world is entering the fray: http://www.hbgary.com/hbgary_responder_datasheet.pdf

I'm looking forward to using some tools that don't require me to keep a notebook of esoteric command lines and a usb key full of dependencies. Not to mention some report friendly output. Should be a good year!

Physical memory analysis is an up and coming challenge for many law enforcement agencies. How can you guarantee that a suspect's computer was not infected by some bad memory-only malware? Current tools only address the hard drive and what it contains. There has been a lot of research into physical memory analysis over the past few years:

Rootkit.com: has been researching physical memory for years http://www.rootkit.com/newsread.php?newsid=130, but in a slightly different context (hiding vs finding).

BlackHat Talks:
http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf
http://www.blackhat.com/presentations/bh-usa-07/Butler_and_Kendall/Presentation/bh-usa-07-butler_and_kendall.pdf

Papers: http://www.stormingmedia.us/50/5037/A503754.html
FatKit: http://www.4tphi.net/fatkit/
Contests: The Digital Forensics Research Workshop is running a Challenge to see who can create the best linux physical memory analysis tool: http://dfrws.org/2008/challenge/index.shtml

Now the commercial world is entering the fray: http://www.hbgary.com/hbgary_responder_datasheet.pdf

I'm looking forward to using some tools that don't require me to keep a notebook of esoteric command lines and a usb key full of dependencies. Not to mention some report friendly output. Should be a good year!

Light source analysis was one of several methods used at a talk at Blackhat DC this year. The much more visually impressive tool, for me, was the ability to show quite explicitly what has been modified in a lossy-compressed (like jpeg) image:

http://www.blackhat.com/presentations/bh-dc-08/Krawetz/Presentation/bh-dc-08-krawetz.pdf

Compresion analysis tool:
http://www.blackhat.com/presentations/bh-dc-08/Krawetz/Extra/jpegquality.c

Light source analysis was one of several methods used at a talk at Blackhat DC this year. The much more visually impressive tool, for me, was the ability to show quite explicitly what has been modified in a lossy-compressed (like jpeg) image:

http://www.blackhat.com/presentations/bh-dc-08/Krawetz/Presentation/bh-dc-08-krawetz.pdf

Compresion analysis tool:
http://www.blackhat.com/presentations/bh-dc-08/Krawetz/Extra/jpegquality.c

Christopher Tarnovsky gave an interesting presentation on this related subject at BHDC 2008:

http://www.blackhat.com/presentations/bh-dc-08/Tarnovsky/Presentation/bh-dc-08-tarnovsky.pdf

Not my realm of expertise, but the two previous posters may like this:

http://www.blackhat.com/presentations/bh-dc-08/Tarnovsky/Presentation/bh-dc-08-tarnovsky.pdf

http://www.blackhat.com/html/bh-media-archives/bh-archives-2006.html#eu-06

Skype has a slew of protections including code integrity checks, anti-debugging techniques, code obfuscation, and Skype network obfuscation.

Incidentally, Desclaux is the author of the Rasta Ring 0 Debugger [RR0D] which is not detected by Skype.

Skype isn't very trustworthy. My favourite link about Skype security. You can't necessarily trust a closed source app with confidential information.

If you need a "ghetto" works-almost-anywhere free secure instant messenger to talk to Alice or Bob, create an account for your friend on your Linux machine and let them SSH in using PuTTY. Then use "write" to talk to each other, or if you're really fancy, use "talk". SSH is great for this because it (a) uses strong crypto, (b) lets you check for man-in-the-middle attacks with it's "host key", and (c) destroys the session keys after use. Get Alice and Bob to reboot from a Knoppix CD and you're secure against Windows spyware as well.

You have no chance to find out, what Skype really does:

Skype traffic is encrypted and additionally obfuscated.
You have no chance to know, what Skype really sends out or recieves.

Skype causes also a lot of traffic when you are not using it for a voice call. This is because of the p2p-design: If you are running Skype your computer is used to help others communicating.

For details see the presentation A Silver Needle in the Skype from EADS experts:
http://www.blackhat.com/presentations/bh-europe-06 /bh-eu-06-biondi/bh-eu-06-biondi-up.pdf

Face it, you really have no chance to find out, what Skype does:

Unfortunately, this can be trivially broken as described in the following presentation about OpenID security

Blackhat already has meetings in Europe (Amsterdam?) and Asia (Japan?). http://www.blackhat.com/html/bh-europe-06/bh-eu-06 -index.html

Absolutely right! Halvar is extraordinarily talented and it will be a terrible shame if his class is canceled. But it starts on Monday, so unless they do it by video conference I can't see him making it. I still hope to see him when I fly to Vegas on Thursday, but the odds aren't good :(.

I'd like to know just what the immigration department expects US conferences to do when bringing in foreign speakers. Halvar says they wanted to treat him like an "employee" of BlackHat and get an H1-B visa. But that is a ridiculous as it is a multi-year process. Halvar thinks coming as a representative of his own German company will help, but we shouldn't have to require that foreigners incorporate just to give a simple presentation or training class here.

I'm an American who has been paid to give presentations and training in many countries, including Germany. And I've never been hassled by their immigration dept. or received any special visas. So its embarrassing and harmful that the US subjects visitors to our country to all of this crap (including the fingerprinting and pushing other countries toward RFID passports). Its no wonder that many conference producers, including BlackHat, have been increasing the number of cons held offshore. The US just isn't seen as a welcoming place.

Pardon the long rant, but I hate seeing my friends put through this. And I'm sure similar things happen to thousands of people we don't know every day. Also, if those of us in the US don't fix our system, other countries might copy it and then we'll have to deal with this shit when we travel.

-Fyodor
Insecure.Org

Skype is a closed network with a secret protocol. And Skype is scary. Who knows how many more security holes lurk under their many layers of obfuscation? You're taking quite a risk if you let Skype onto your network.

I'm not saying this in order to troll, I'm just trying to correct widespread misperceptions about Skype, characterised by the belief that it's in some way better than yet another phone company. If you can, use a SIP-based IP phone instead. There are lots of SIP programs to choose from, they interoperate, if you want to dial out onto the PSTN there is a choice of providers, and you can get GPLv2 source code for the client. Far better than Skype's closed network and closed source monoculture.

Now I wonder if they can/do tap into Skype... Fundamentally, this is akin to the DRM issue. Those that want to make calls and talk about anthrax will use modes of communication that aren't monitored and those who pay the penalty are Arab looking Indian dudes... *sigh*...

Skype is a closed network, with a secret protocol. Although the traffic is encrypted, there has been much speculation that backdoors may exist. Indeed, some have been found, although these are bugs and design flaws rather than law enforcement wiretaps. But there is no reason why official wiretaps could not be added at any time. As the source is not open for public review, and each client will execute digitally signed updates, your privacy could be compromised at any time without your knowledge. (Of course, this is also true of any update service that downloads binaries.)

Don't trust closed software with your secrets, whether commercial or personal. You can use a free software VOIP program like Wengo instead, and make it secure using an encrypted VPN (e.g. OpenVPN).

(though your link doesn't show that security researchers are concerned at all--just one researcher who was looking to be published)

storing settings, which are data isn't going to recompromise the system unless there is a vulnerability in the software which reads and uses that data.

Try these papers, you dip:

http://www.blackhat.com/presentations/bh-federal-0 6/BH-Fed-06-Heasman.pdf

http://www.ngssoftware.com/research/papers/Impleme nting_And_Detecting_A_PCI_Rootkit.pdf

Also, TFA links off to the Invisible Things website which DOES mention BIOS rootkits.

Last time I checked I could pass some "toram" parameter to a lot of Live CDs, making the system run perfectly fine, entirely in memory, on my old P4 / 1 GB of ram.

I seriously doubt that, today, a BIOS malware could be sufficiently advanced to act as a real root-kit.

And you explain me how you remotely install a BIOS on a system that requires changing a jumper before you can flash the BIOS.

Remember that you were replying to someone talking about running a system of a live CD. If the system has no hard disk, explain me where your hypothetical, urban legendary, hypervisor rootkit would reside?

Skype is encrypted by default, not to mention stealthy (uses port 80 plus p2p-ish networking).

Once upon an Internet, Bill Clinton signed an executive order classifying encryption as munitions.

Seriously, why couldn't some kind of "GOOD" botnet be created that does this?

There does exist a "GOOD" worm for this.

From http://www.blackhat.com/html/bh-federal-06/bh-fed- 06-speakers.html

This presentation presents concepts for taking exploitation frameworks into the next evolution: solving complex security problems by generating robustly controllable beneficial worms. The Why, How, and What of Nematode creation are discussed, along with some concepts in Mesh routing.

Wonderful for "clean room" hardware software.

"Whether Torrellas's technology will make its way into commercial computers, however, is uncertain. "Their analysis of where bugs occur is excellent," says Wilson Snyder, a principal engineer for the high-performance computer-hardware manufacturer SiCortex, based in Maynard, MA. "It provides a good, detailed look at signals that should be analyzed to discover bugs." Hardware manufacturers could learn from the basic research behind Phoenix, Snyder says, and use it to eliminate hardware problems before chips hit the stores. But he questions whether manufacturers would ever implement Phoenix itself. Adding Phoenix onto an existing chip would take time and money, he points out."

For your Sister's computer ... not so much:

Joanna Rutkowska:

http://theinvisiblethings.blogspot.com/2006/06/int roducing-blue-pill.html

Black Hat Conference:

http://www.blackhat.com/html/bh-federal-06/bh-fed- 06-speakers.html#Heasman

http://www.blackhat.com/html/bh-dc-07/bh-dc-07-spe akers.html#Heasman

[sarcasm]
You can then just bypass the need for virtualization and just run a straight Malware OS(TM), saving us the bother of even using the web's intertube pipes for work - hell, you might even get a cut of all that "Bank" action from our new Overlords, which, of course, we'd welcome.
[sarcasm]

Wonderful for "clean room" hardware software.

"Whether Torrellas's technology will make its way into commercial computers, however, is uncertain. "Their analysis of where bugs occur is excellent," says Wilson Snyder, a principal engineer for the high-performance computer-hardware manufacturer SiCortex, based in Maynard, MA. "It provides a good, detailed look at signals that should be analyzed to discover bugs." Hardware manufacturers could learn from the basic research behind Phoenix, Snyder says, and use it to eliminate hardware problems before chips hit the stores. But he questions whether manufacturers would ever implement Phoenix itself. Adding Phoenix onto an existing chip would take time and money, he points out."

For your Sister's computer ... not so much:

Joanna Rutkowska:

http://theinvisiblethings.blogspot.com/2006/06/int roducing-blue-pill.html

Black Hat Conference:

http://www.blackhat.com/html/bh-federal-06/bh-fed- 06-speakers.html#Heasman

http://www.blackhat.com/html/bh-dc-07/bh-dc-07-spe akers.html#Heasman

[sarcasm]
You can then just bypass the need for virtualization and just run a straight Malware OS(TM), saving us the bother of even using the web's intertube pipes for work - hell, you might even get a cut of all that "Bank" action from our new Overlords, which, of course, we'd welcome.
[sarcasm]

'A boot disk like this wouldn't be useful for compromising a system in the traditional, and it isn't intended as such'

I would have thought that what is actually does is more important than what it is intended to do. which is to bypass the whole security mechanisms of Windows Vista.

was .. Re:and in a related story... (Score:5, Distraction)

Here it is http://blackhat.com/presentations/bh-europe-06/bh- eu-06-biondi/bh-eu-06-biondi-up.pdf SOOoooo many selfobfuscating features.... It's overkill, it's useless... As for DRMs: what could one do with all this money if such huge costly features weren't implemented? So many things !

http://www.blackhat.com/html/bh-europe-06/bh-eu-06 -speakers.html

That Blackhat link is very interesting, thanks. Deliberate spying behaviour aside, Skype doesn't seem a very trustworthy app!