If Cane Toads, why not computer viruses?

Those in the Australian state of Queensland are having a cull of cane toads, a pest.  I don’t know whether it would work, but the mass reduction of a pest population is, generally speaking, a good thing.  It may not eliminate the problem once and for all, but a sharp decrease in population is usually better than a constant pressure on a species.

So, is there any way we can get some support going for a mass cull of computer viruses?  Most currently “successful” viruses are related to botnets, and botnets are often used to seed out new viruses.  Viruses are used to distribute other forms of malware.  Doing a number on viruses would really help the information security situation all around.  (I have, for some years, been promoting the idea that corporations, by sponsoring security awareness for the general public, would, in fact, be doing a lot to reduce the level of risk in the computing and networking environment, and therefore improving their own security posture.)


File upload security recommendations

In my security career, I have always found file upload module to be one of the most favorite playground for hackers. There are many detailed documents mentioning the guidelines for following secure upload mechanism. Going through them will surely give you a sense of high level of insecurity in file upload module.

So jotted down points which I would take care or recommend for secure uploads.

Proper file type checks: Check for atleast basic parameters like filesize, mime-type etc and allow only a selected MIME type wherever possible. Make a white-list of file extensions to be allowed for upload. Try to keep away from executable files and scripts where possible. Set minimum and maximum file size for upload. This will prevent Dosing the webserver by uploading huge files and exhaust the storage space.
Random filenames and folder: Do not allow user input to specify the destination directory or file name of uploaded documents. Good practice is to rename the document to some random value and track them in your Database. In short guessing the name of the uploaded file should be made difficult for the attacker.

Upload Directory Security: Upload all files outside your web directory. Possibly separate the upload directory from application and system directories/drive. This can help mitigate issues related to resource exhaustion & directory traversal. Set proper folder permissions (chroot() ). Do not allow user to choose the upload folder. Avoid giving writable permissions to users. Instead webserver like apache can be given writable permissions while preventing users from RWX access on the upload folder.

Prevent users from directly accessing the files in the upload directory. Files can directly be stored on the server or other alternative would be to store the files as blobs in database instead. However blobbing for very large files can affect DB performance and also the malicious data if uploaded will be directly saved in database without validating.

Neutering the file like renaming it to some random value or XORing or compressing the file in some way so that the OS doesn’t interpret it as executable etc. will help increase the security barrier.

Anti Virus Scan: Scan the upload files for any virus or malicious content. You can even try out ModSecurity which has a feature for inspecting files on upload, which you can combine with some antivirus. The advantage is that you get to block the HTTP request before the file even gets into your system. Alternatively files can also be scanned immediately just after it is uploaded. Both are affective in their own way and can be adapted accordingly depending on their implementation challenges. Other content filtering techniques include icap or CVP which are worth a thought.

File name Validation: While allowing users to upload the files, we allow them to specify the name the files should be referred to. Application should validate these file names for any XSS attacks.

Uploading and saving uploaded sensitive documents in encrypted form: Sensitive data needs to be uploaded via SSL and saved on the server in encrypted form to protect against eavesdropping. The file can also be encrypted while uploading instead of doing so while saving on the server. There are different products which can help you do this like AspEncrypt etc.


Page tokens: Use unique tokens for upload forms. This can help mitigate the less known Cross-site File Upload Attacks. Thus the attacker cannot upload malicious or illegal content on victim’s account. And if the victim is a web-admin, attacker can help himself upload any malicious file to the directories which is otherwise restricted to other users.

Error page: Do not reveal too much info in the error page like the directory path etc which can help attacker in further attack. Use customized error page.

Proper verb: HTTP POST verb is preferred over HTTP PUT or GET verb as it is comparatively more secure.

ACL: Limit “upload module” access to required users or groups wherever possible.

Logging user activities: Log all activities of the user like in this case, IP of user, size of the file, directory to which file was uploaded etc. This is help us know if any attacks were made against your server and if they were successful.


Major Browsers Pwnd

0day exploits for Internet Explorer, Firefox, and Safari were used to own machines at the Pwn2Own contest @ CanSecWest 2009. Is now the time for someone to port Windows 3.1 to MIPS and install a good telnet client? Roffles.

Credit www.dailygalaxy.com for the fierce FF/IE photo :)


The R(evolution) of Bug Hunters

Getting real money for computer security research is making its way from early development and ideas to mainstream, and bug hunters probably have mixed feelings, like teenagers. Its an interesting concept that might actually work. What will become of the vulnerability market when something like this becomes popular?

Either way, these guys are basically saying no more freeloading, Mr. Vendor.


Exploiting our security models?

I’m sitting in CanSecWest.  We’ve just had a talk on platform-independent static binary code analysis.  (It isn’t really platform independent: just translating from specific instruction sets.  Not that it isn’t cool: REIL is a sort of RISC version of an assembly version of pseudocode.)  The presentation, and what they’ve done so far, is fairly abstract.  They are approaching the analysis with a type of Turing machine, and, with a sort of lattice-based state machine model, hoping that the transforms they can see with their model, are close enough to what the actual program will do in an actual machine in order to tell you if there is teh possibility of a bug or an exploit.

So, it’s kind of complex.  We are applying some highly abstract, theoretical stuff, pretty directly to the real world.

Now, in the abstract world, it’s been more than 25 years since Fred Cohen proved that this type of thing will never completely work.  Either you are going to get an infinite number of false positives (false alarms, where you spend time chasing down problems that aren’t problems), or an infinite number of false negatives (which is our current situation with security: our tools aren’t telling us about the problems that do exist), or both.

(One of the authors responded to this point that he chose to err on the side of false positives.  A reasonable position if you are doing research.)

However, this system is so complex that it got me thinking: they are hoping that the model and transforms they have put together is close enough to reality that it will give them useful results and help, but they really don’t know.  What if we are now to the point where our security tools and models, themselves, have gaps that can hide problems, and be exploited?

(There was a reason the original security models were so simple …)


uCon Security Conference 2009

uCon Security Conference 2009 materials have been released!

Advanced SQL Injection Slides  
Hacking PDF Readers Slides  
Intro to Windows Kernel Security Development Slides  
From theory to practice: Bringing down the house with EXTENDED DHCP Exhausting Attack Slides  
Practical (Introduction to) Reverse Engineering Slides  
Secure Log Centralization, Analysis & Security Visualization Slides  
Ut cognitione visus: ut ipso intellecto – BinNavi v2 Slides  
GSM For Fun and Profit Slides  
Dispelling the myths and discussing the facts of global cyber-warfare Slides  
Advanced Payload Strategies: What is new, what works and what is hoax? Slides

Carder spam or not?

I received this email today:

Good morning!

I inform you about site http://carder.su where people trade in stolen credit cards. As i’m a holder of visa classic i’m sincerely
exasperated at appearing such sites in your hosting. I beg of you to take strong measures and don’t be indifferent to heart-break of other people. This complaint will be sent to the FBI.

Best regrads, Jon Shirov.

At first I was shocked, why would someone allow such a site to still be up even though someone reported it to the FBI. I had to do something.

Rushing to the rescue I looked at the site and it appears to be a pretty straight forward scam-sell site, you come there and buy stolen goods.

Why have I been notified only now I wondered… I looked back in my spam log and what do you know the same email appears more than once in my spam folder with different names, dates and of course email addresses :)

I am not sure what the scam/spam’s purpose is, apparently they want you to go to their site and see what they have to offer – you might be a potential customer to their operation.

I of course didn’t dig in to the site, nor am I interested in buying anything found there – on the other hand I will also not report this to the FBI as the site is not hosted inside the United States (It is hosted in Russia), nor is its domain under a US registrar (ends with a SU).

Whoever knows of a place to report such sites to please let me (us) know.


Everything new is old again – vulnerability management

Yes, we have to know, and assess, and analyze, and manage, vulnerabilities.  Yes, it is a complicated task.  So now this is the next big thing, is it?

Well, when you look at it, it is the same task we have always had to do under the name “risk management.”  Except that it is in a smaller compass and more limited extent and application.  Nothing particularly wrong with concentrating on one aspect at a time–as long as you realize that is what you are doing.  Not thinking that you are somehow seeing something new.


Code Red, the BBC, and the Computer Misuse Act

Early in this decade, well before I became assimilated by the anti-malware industry, I sat in my office in Birmingham (the one in the UK) and argued vehemently with another independent researcher (now deceased, sadly, but I won’t name him anyway).

He’d had an idea about the Code Red worm problem that was currently very high on the public radar: why not use the same infection mechanism to send a worm out looking for machines that hadn’t been patched to address the IIS vulnerability that Code Red exploited, and force vulnerable machines to patch?

As I remember, I argued that:

    It would alienate him from other members of the research community: many of us have signed Codes of Conduct that would expressly forbid that approach

    It would make assumptions about the target machines and their owners that he wasn’t entitled to make

    It would involve unauthorized access and modification to other systems, which is specifically addressed in criminal legislation in many, many countries. (Including the United Kingdom, where we both lived, but I’ll come back to that.) So actively illegal (in some places) as well as ethically flaky.

    It would add legitimacy to those malware authors who add minimal disinfection of other malware to their creations, probably in the forlorn hope of persuading a jury that their intentions were good, if they ever find themselves in dock

    If you make a coding error in a non-replicative utility that causes damage to a system, there’s usually some means of fixing it, and at worst the damage is localised. If you make a coding error in a utility that self-replicates, then a lot of people are going to have to live with it, and you won’t be able to do much about it. Unless you want to get into a cycle of send out worm, send out worm to fix bugs in first worm, send out worm to fix bugs in second worm, send out… well, you get the idea. Too many potential bugs travelling by bug.

Well, he seemed convinced by my arguments: though “good” worms that took the same approach were discussed elsewhere and some examples of such code eventually made it into the outside world in some form, I have no reason to suppose that he had any connection with any of them.

Fast forward to 2009. The BBC’s Click program, to be screened on March 14th, “managed to acquire its own low-value botnet…after visiting chatrooms on the internet.” In order to demonstrate its own clevern… – sorry, in order to demonstrate “botnets’ collective power when in the hands of criminals” it set up “its” botnet to send pseudo-spam messages to a couple of email accounts they’d set up specifically for this purpose. Then the presenters used it to carry out a DDoS (Distributed Denial of Service) attack on a server belonging to a security company, with that company’s permission.

Then Click changed the Windows desktop wallpaper on the infected machines to let their owners or users know that their machines had been part of a botnet and advise them on steps to take to secure their machines, and “destroyed its botnet”. (I presume that means they removed or somehow deactivated the bot/agent malware on each infected machine.)

So what does this have to do with my deceased friend? Primarily, the Computer Misuse Act. As Graham Cluley has argued at some length and very convincingly on his blog today, the BBC’s actions may have put it at risk of contravening the UK’s primary legal defense against direct attacks on computer systems. The BBC tell us that they didn’t break the law because they had no criminal intent.

As Ken Bechtel once remarked, AV researchers would make poor lawyers because they’re incapable of passing the bar. Well, I’m not in a bar at the moment, but I’m not a lawyer either, so don’t take this as being in the least authoritative. But I have to wonder whether Click passed this in front of the Beeb’s legal department.before they undertook this exercise.

As I understand it, the defense of criminal intent has been defined in English law as “the decision to bring about a prohibited consequence”. The 1990 Act defines the computer misuse offences as:

1. Unauthorised access to computer material.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
3. Unauthorised modification of computer material.

The Act also defines an individual’s guilt according to whether he uses a computer to “secure access” to a program or data held in any computer, whether the’s authorised to secure that access, and whether he knows that his access is unauthorised. I don’t think there’s any doubt that the BBC were not “authorised” to access or modify programs or data on these machines by their owners.

In some jurisdictions, there’s a potential defence where no measures were taken to protect the victim’s machine, but an amendment to introduce that possibility into the 1990 act was rejected.

Criminal liability is, apparently, normally measured according to whether (a) a criminal act was committed (b) the person who committed the act intended to commit a criminal act. So intent (mens rea, often freely translated as “guilty mind”) is important. But in this case, I suspect that if the incident went to court, the question might be not “did the defendant intend to break the law?” in the general sense of becoming a “real” botherder, but in the sense of committing an offence (actus reus, a criminal act) under the provisions of specific legislation. However benevolent its intentions, did the BBC know it was in breach of the Computer Misuse Act? Did they actually buy a botnet? (If so, they might want to bear in mind the case of virus author Christopher Pile, one of the few people actually convicted under the CMA, who was convicted of knowing inciting others to cause unauthorised modification, as well as doing so himself.

As far as I can tell from the BBC’s article, the program presenters were perfectly aware that they had no authorisation to access any of those 22,000 machines. As far as I can tell from the wording of the Act (but remember that I have no legal training whatsoever!), it doesn’t take into account the fact that it might be broken for benevolent purposes: either your access is authorised, or it isn’t.

On the plus side, little or no “real” harm was done. The BBC sent itself multiple email messages to two accounts specifically created to receive them. Perhaps Prevx’s reputation has suffered slightly from the revelation that the server against which they allowed the BBC to launch a DDoS attack became inaccessible so quickly: according to Click, it took just 60 machines to bring it to its knees. But perhaps it was configured to collapse easily, for a more effective demonstration.

The unprotected machines were presumably (at least temporarily) relieved of the malware which gave the BBC access in the first place, and hopefully some of their owners learned something from the experience. (I have to wonder whether and how the BBC were actually able to check that their action didn’t have any ill effects on all 22,000 of those systems…)

I don’t know if the BBC or the Click presenters are guilty of anything in legal terms: I do think they’ve failed to think things through properly…

Small Blue-Green World
Director of Malware Intelligence ESET


It’s fun being other people

As I wrote before, I have a very nice gmail address that doubles as an email honeypot.

This is a fun way to pass the time. First, I have a unique peak into other people’s lives. Second, I can see how people treat the possible situation of sending email to the wrong address.

One “Aviram” was on some kind of PTA mailing list. At some point they figured out they are CCing the wrong address and I no longer know what each person brings to those meetings, which is a shame.

Another “Aviram” is co-producing a TV show – seems like some kind of a reality show. If I ever need to know how to convince a “rich bitch” celebrity into joining a reality show that could be useful information. If it ever materializes into an actual show I promise to leak the identity of the winner in this blog.

A more interesting recent addition is the “Aviram” that signed up to a religious dating site. What is so interesting about a bunch of 21 yo girls who are looking to marry? Well, the dating site sent me a registration confirmation to my email, without actually checking if the email is correct. Now all I need to do is login (by selecting “forgot my password”) and change his password, and he is forever locked out.

But to top it off, the site started sending me alerts (it seems there is no shortage of young females looking to marry at this age) and every alert includes: you guess it, the username and password inside the email. And some place on the Internet a lonely guy is waiting for his solemate not knowing the mailbox is overflowing with candiates.

Probably my favorite email received was a confirmation that the transfer for 900,000 NIS (about $215,000) is about to go through as planned. I had to resist the temptation to send an email back with the ‘updated’ account details.

All this got me thinking: What are the legal consequences of receiving those mistaken-identity emails? Lets put aside the discussion of the silly mile-long footers (“if you are not the intended recipient please commit suicide after formatting your hard drive”). What if I receive a standard email, without any disclaimers, and choose to use it: leak the identity of the reality show participant, dating the girls that wanted to meet an “Aviram” or tell the PTA women to bring lasagna to the next meeting?

What about a responsibility to forward these emails to their correct recipient (or letting the sender know he has the wrong address) – am I required to? Would it be “the right thing” to do?


Hack in the Box Conference – Dubai

It’s time again!

Hack in the Box Conference will happen in Dubai, from 20th to 23rd april and I’ll be there talking about Advanced Payloads.

The presentation will discuss what changed in the nowadays attacks, and why the protections have not evolved as well.

With the focus on the advanced payloads and how to detect them passing through the network, the presentation will show many samples for improvements of actual technologies.

You can see the conference agenda here: http://conference.hitb.org/hitbsecconf2009dubai/agenda.htm

Let’s meet there folks!


Rodrigo (BSDaemon).


Fixing security settings

Since the day I got a new laptop I couldn’t access my online brokerage account. Maybe it was a sign that I should stop loosing money, but chose not to listen. I still wanted to log in to my account and at least see what is going on.

So I called the technical support and asked whats wrong. They were very nice and sent me a pdf that explains how I should ‘fix’ my Internet Explorer security settings (obviously they don’t support Firefox)

Here is the interesting part of what they sent:

IE security settings

When I saw it, I called them and asked the guy if they are serious about these recommendations and if there is any other way to continue working online. The guy was very polite and told me he doesn’t know anything about computers and he will ask someone to call me back. Until this minute nobody called.

Lucky me, I use Internet Explorer only when I have no other choice and that doesn’t happen too often, so ‘fixing’ my security settings does not effect my security too much. Unfortunately, if there was one site I would be really happy to have the best security possible, that would be my online stocks account.


DJBDNS Security Broken

According to this thread, DJBDNS’s security has officially been broken. A patch is available and the reward for the bug by Mr. Bernstein will be awarded to Matthew Dempsky. Quoting from the thread:

“If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com. This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.)

Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.

The next release of djbdns will be backed by a new security guarantee. In the meantime, if any users are in the situation described above, those users are advised to apply Dempsky’s patch and requested to accept my apologies. The patch is also recommended for other users; it corrects the bug without any side effects. A copy of the patch appears below.

—D. J. Bernstein

Research Professor, Computer Science, University of Illinois at Chicago”

I still believe Georgi Guninski’s bug was enough for a reward, but oh well. I wonder what the “new security guarentee” will be, anyway.


Hack this and get what ever you want!

Emails from seemingly no where and from no one trustworthy.. haha
“Dear Hacker,

Manish from this side, i have a good hacking project on linux machine, configuration are below: please considue and if u are able to hack  this system our company can pay whatever u want.  or creat custom exploit that provide reverse shell . this server is online [ip address will be dilivered after project accepted by you] after u hack this system u just provide screen shot of any email header from any user on this server…I am sending you some details that are helpful for you.

Linux 2.6.18, sendmail: 8.13.1, apache 2.0.52, and open webmail 2.52

Suspected open ports:
25, 111(rpc), 443, 1720(SIP), 870(unkwon), 80, 79(finger), 110(pop), 143(imap),
3333(dec-notes), 4444(krb524)

and system is protected by firewall have ttl of system is: 53
Network distance: 10 hops.

Send me mail if u are ready to accept this challenge with project cost and time, so after i send IP address of live server, and money will be dilvered by Wire of paypal or bank transfer, any option that u want.”