Slashdot Mirror

Last month, at ShmooCon a talk was given about spatial analysis of malware samples. The technique is borrowed directly from bioinformatics. This is a great example of techniques from Biology being used effectively in the IT security realm.

I hope that the researcher involved in naming organisms based on hash algorithms chooses context triggered piecewise hashes (CTPH) AKA fuzzy hashing or a similarity hash algorithm rather than an algorithm like SHA512. Google's simhash or at least the ideas of this type of algorithm would lend itself much better to the naming of organisms.

FYI: a FOSS implementation of fussy hashing is called ssdeep. The project site is here. This is an implementation that is widely used in open source malware analysis tools like Cuckoo Sandbox.

Last month, at ShmooCon a talk was given about spatial analysis of malware samples. The technique is borrowed directly from bioinformatics. This is a great example of techniques from Biology being used effectively in the IT security realm.

I hope that the researcher involved in naming organisms based on hash algorithms chooses context triggered piecewise hashes (CTPH) AKA fuzzy hashing or a similarity hash algorithm rather than an algorithm like SHA512. Google's simhash or at least the ideas of this type of algorithm would lend itself much better to the naming of organisms.

FYI: a FOSS implementation of fussy hashing is called ssdeep. The project site is here. This is an implementation that is widely used in open source malware analysis tools like Cuckoo Sandbox.

OK I'll go read TFA now.

Let me guess....you do not have, and have never had a girlfriend.

Anyway, this talk at Shmoocon opened my eyes quite a bit. Users jailbreak their iPhones for whatever reason, then leave them flagging insecure on the network. While AT&T have taken steps to mitigate some of the vulnerabilities introduced by n00bs pwning their iphonez, it's still not 100%.

Think your cable company would still let you buy their on-demand shiat if you'd rooted your cable box? How about Windows Update and Microsoft?

It's not like Android is really that open a platform, and it wouldn't surprise me if other carriers start doing similar things to rooted Android devices.

The iPhone is a wonderful device that works fine for 90% of the users, just as it's supposed to. This feigned outrage at Apple is disgusting.

Encrypted torrent traffic can - to my knowledge - not be detected by the ISP

See http://www.shmoocon.org/2007/speakers.html for Rob King and Rohit Dhamankar on "Encrypted Protocol Identification via Statistical Analysis".

Here's a brief recap: by looking at {mean value, variance} of {packet size, interpacket delays} going {up, down} and packet entropy for a specific flow, you get a point in a nine-dimensional space. Encrypted protocols tend to cluster together.

So here's the ISP algorithm: Measure a flow, find its nearest cluster, guess that behind the encryption is traffic of the protocol belonging in that cluster. If bittorrent, kill.

Note that Rob & Dohit don't look at how many simultaneous connections you make. That also tends to give away P2P traffic.

So the ISP can see you're P2P'ing. They can't detect whether it's illegal, or who should sue you, but they can (probably) see it's bittorrent.

OMG LOLz!

I found these:

PPT

  mug shot

We can encrypt bit-torrent files so they wouldn't be able to tell the difference between P2P to normal traffic. Sheesh.

Wrong!

Watch Rob King and Rohlt Dhamankar's talk about identifying encrypted protocols, at http://www.shmoocon.org/2007/presentations.html

The short version: by looking at packet sizes and interpacket timing going up and down (plus the entropy and traffic difference), you can identify which protocol is being talked over the encrypted channel.

The problem is that each individual TCP segment is iron-clad encrypted, but the relationship between TCP segments can't really be hidden that well.

For P2P, at the ISP level, you can also look at how many connection are being made to any one of your customer's ports.

Encryption doesn't hide the protocol of the message, in the case of IP. Sadly :(

The ISPs can probably identify the protocol used, even if it's encrypted:

http://www.shmoocon.org/2007/presentations/PISA.ppt
http://www.shmoocon.org/2007/videos/Encrypted%20Protocol%20Identification%20via%20Statistical%20Analysis%20-%20Rob%20King%20and%20Rohlt%20Dhamankar.mp4
http://www.shmoocon.org/2007/presentations.html

Note that their method just looks at the packets. If you also know that the packets originate from a network that only has one customer/peer relationship, and that relationship is with you, you can look at the number of connections with the same protocol as well.

I'm not sure that it's clear we can win the arms race; at least, not in the near future.

The ISPs can probably identify the protocol used, even if it's encrypted:

http://www.shmoocon.org/2007/presentations/PISA.ppt
http://www.shmoocon.org/2007/videos/Encrypted%20Protocol%20Identification%20via%20Statistical%20Analysis%20-%20Rob%20King%20and%20Rohlt%20Dhamankar.mp4
http://www.shmoocon.org/2007/presentations.html

Note that their method just looks at the packets. If you also know that the packets originate from a network that only has one customer/peer relationship, and that relationship is with you, you can look at the number of connections with the same protocol as well.

I'm not sure that it's clear we can win the arms race; at least, not in the near future.

The ISPs can probably identify the protocol used, even if it's encrypted:

http://www.shmoocon.org/2007/presentations/PISA.ppt
http://www.shmoocon.org/2007/videos/Encrypted%20Protocol%20Identification%20via%20Statistical%20Analysis%20-%20Rob%20King%20and%20Rohlt%20Dhamankar.mp4
http://www.shmoocon.org/2007/presentations.html

Note that their method just looks at the packets. If you also know that the packets originate from a network that only has one customer/peer relationship, and that relationship is with you, you can look at the number of connections with the same protocol as well.

I'm not sure that it's clear we can win the arms race; at least, not in the near future.

If your anti virus software uses nothing more than a file name to tag an executable as malicious you might want to think about acquiring some better AV software. If you want to know how AV really works (and how to defeat one that doesn't use methods like heuristics) take a look at http://www.shmoocon.org/2008/videos/Backtrack%20Demo.mp4

Kinda useless. Also, kinda not new: go to http://www.shmoocon.org/2007/presentations.html and look for "Rob King and Rohlt Dhamankar - Encrypted Protocol Identification via Statistical Methods".

Upon observing a flow (as it is going on), they can identify which encrypted protocol is being used. I imagine tunneling things through ssh would only change the entropy (it's a different encryption), not how big the packets are or when they're being sent; at least not by much.

Whether King and Dhamankar generate training data for ssh+$PROTO is a different question, but I think it should be fairly easy to do.

How can you tell if someone is using a secure SSL connection for work related purposes (Email, large file transfers, terminal services) and someone that is using SSL for bit torrent?

You look and the mean and variance of packet sizes and interpacket time delays going in each direction, plus the entropy of the data and the server-to-client traffic ratio (or difference, forget which). That's what these guys (warning: mp4 video) did.

And as an ISP and not just a man in the very middle, you can count the number of connections which have a similar set of values for these ten parameters.

http://www.shmoocon.org/

The presentation will probably be available on the Shmoocon website in the not too distant future. Forbes did the standard mainstream media muddling so check with H1kari for the real deal...

Here's the short answer: RFIDiots, 35 minutes into the presentation. More Shmoocon 2007 presentations.

Here's the short answer: RFIDiots, 35 minutes into the presentation. More Shmoocon 2007 presentations.

Of course, they simply cannot tell the difference between HTTP over SSL and... well, anything else over "SSL"...

http://www.shmoocon.org/2007/presentations.html
Scroll down to Sunday - March 25th, 10:00 am presentation
Joel Bruno and Eric Smith
VOIP, Vonage, and Why I Hate Asterisk

You can download video of their presentation.
Basically, intercepting RTP (voice traffic) is as trivial as any other traffic.
The question is, does the equipment respond to unsolicited ARP replies?

So, someone starts another conference. No biggie.

Like maybe...

Toorcon

or Schmoocon

Here is a video of Acidus's presentation. If you haven't seen him present before (At Hope, O'Reilly's E-Tech, Toorcon, Phreaknic, Interz0ne, etc, etc) he puts on a good show.

The presentation was called: Layer 7 Fun: Extending web applications in interesting ways. He discusses how traditional web applications work -vs- "new" web ppas that use AJAX. He talks about writing extensions to web apps using an API supplied (ala Housingmaps.com, or chicagocrime.org). Finally he talks about writing an extension to a web app where you don't have access to an API. TinyDisk was a case study for writes these so-called "non-sanctioned" extensions. He has a funny little slide he goes back to about how to properly implement a web app (which TinyRUL fails to do). Things like "don't wallow users to uploaded arbitrary amounts of data directly into your database."

Funny Stuff. His upcoming talk at Shmoocon seems pretty cool too.

If you're typing in the HTML formatted comment box, remember that (take away the _) does the same work as an enter key.

I'll post my comment from Fark below:

This isn't that new, as I heard a presentation on it at Schmoo Con in DC earlier this year. The blurb about the presentation reproduced below from this page.


"Old Skewl Hacking: Infra Red - MMIrDA (Major Malfunction's Infra Red Discovery Application)" Major Malfunction

Major Malfunction spends a lot of time travelling. Consequently he spends a lot of time in Hotels. Hotels have Pay-Per-View. Hotels have infra-red remote controlled TVs. And so, to while away the hours, MMIrDA was born...

Infra Red is all around us. Most of us will use an Infra Red controller on more or less a daily basis, to change the TV channel, or open a car or garage door, but how often have you thought about how it actually works? This talk will describe not only how to analyse the signals being sent by your remote, but also how to use that information to find hidden commands and reveal functions you didn't even know your systems had. You will learn how to brute force garage doors, car doors, hotel pay-per-view TV systems, take over LED signs, vending machines and even control alarm systems, using cheap or home made devices and free software.

DEFCON Goon since DC5. White Hat hacker since the late 70s. Co-founder of InterFACE, one of the earliest Internet streaming pirate radio stations (1995).


/got into Schmoo for free
//no didn't sneak in
///free passes for DC2600 members -- hope they do it again

This is old news and was discussed at ShmooCon in February 2005:

http://www.shmoocon.org/2005/program.html#major

starting today. Today the FBI's mail server gets Pwn3d. Hmmmm. Nah, those two things couldn't possibly be related...

Could've sworn I publicly demo'd how to steal T-mobile, PayPal, E-Trade, you name it passwords from users with rogue APs ummm... almost 2 YEARS AGO.

http://airsnarf.shmoo.com

Maybe we just don't pay news organizations enough to pimp our shit and get some Slashdottin'? Shame on us.

We're obviously slacking, but the world better wake the fuck up. Slashdot, too. And maybe university professors with eureka-look-what-hackers-have-been-doing-forEVER moments.

FYI, we're hosting a hacker conference in D.C. in a couple weeks--just in case you want to get a head start on the news items that Slashdot will pick up on 2 years from now.

Sincerely,

Beetle
The Shmoo Group

Later that day, I talked to the fed who got nabbed in that spot the fed video. He was running Kismet when he got called up. Others around him whispered "He can't be a fed, he's running Kismet". Don't be fooled. I think some of these fed types dig technology as much as any hacker.

The Bluesniper rifle by the guys at Flexilis is so cool - I built the bluetooth gear for them from the kits on my bluedriving.com site. And I had a chance to look through the scope at DefCon, but didn't get to bluesnipe anyone with it yet.

The Shmoo Group has another rad wireless sniper rifle they showed at DefCon. (I think the Flexilis guys got the bag on Shmoo this time for walking in the first day carrying the rifle.) Check out Shmoo's build-it instructions: LINK

--
Carbolic
www.bluedriving.com