Cyber Intelligence Universe

Posted on November 26, 2014 by Simon Roses

In recent years all “cyber” is fashionable, and intelligence applied to the cyber world could not be less! The concept of intelligence has an offensive meaning due to the use by intelligence and military agencies, but now too many security vendors position their products as intelligence solutions able to identify potential threats.

With the use of these security products many private organizations “believe” that they are getting intelligence but their vision is very limited:

  1. The intelligence is obtained by the quantity and quality of their sources (many organizations don’t know nor their sources of information).
  2. The human analysis factor is vital (is not about installing a product and expect a detailed report, like everything is automated.)
  3. The focus is just outside threats (Internet) as internal threats do not exist.

It is funny or sad (depending on how you look at it) when many organizations and security vendors talk about their ability to monitor and analyze systems logs, antivirus, firewall, IDS, Honeypots, etc. to provide intelligence and then they don’t know the number of computers, users or software installed in the organization. Intelligence applied only to the outside is insufficient when internal threats are unknown.

In VULNEX (disclaimer: cybersecurity startup founded by my) we gave it some thought and developed some solutions that help in this regard, for example BinSecSweeper: a tool to analyze Windows, Linux and MacOS binaries. We can take an operating system and analyze all the binaries to determine their security posture (for example scanning all the 7000aprox binaries in Kali Linux in 30 minutes ;) or determine if software is using obsolete libraries among other things.)

Software today is not written but composed: programmers use different libraries and commercial or open source code to compose their product in the shortest time possible and push it to market. Organizations use all kind of software without knowing whether it is safe or what is composed of, huge mistake!

bss1_cap_int_univ
Fig. 1 – Scanning software with BinSecSweeper, a peak under the hood

Another need we got in VULNEX is to obtain intelligence from source when doing code audits. These audits are complex, long and usually limited in time so it is necessary to obtain valuable information to focus on the work. In this sense we have developed Tintorera, a plugin for GCC that, while we compile a project in C, performs an analysis that helps us understand the code without having read the source itself. At this point we are not looking for vulnerabilities, but we do want to understand the relationship between functions, code metrics, complexity, and other parameters that help us be more effective to scrutinize the code and find vulnerabilities. Intelligence applied to source code! 

tintorera1
Fig. 2 – Tintorera report

tintorera2
Fig. 3 – Tintorera Graph

If you believe that your organization is doing cyber intelligence, think again and really determine your analysis capabilities and what is your vision that surely are not as good as you think…

No doubt much remains to be done in the Cyber intelligence at both internal and external sources to obtain a real and global view of threats.

Does your organization have a cyber intelligence program?

— Simon Roses Femerling @simonroses

Posted in Pentest, Security, Technology, Threat Modeling | Tagged , , , , | Leave a comment

Theoretical attacks on a Sex Robot: Roxxxy

Posted on July 1, 2014 by Simon Roses

The True Companion company markets for the last few years the first robot to have sex with: Roxxxy. Unfortunately it is not possible to find too much information about the technical features of the robot on the company website, but with the available information a few conclusions can be drawn, so I thought it would be fun to do a post about possible attack vectors.

Disclaimer: everything described here is based on information obtained from the company website and my imagination, no attack has been tested in real (yet) because I do not have this robot, but if any reader wants to send me a pair of robots to make reverse engineering, I will be happy to inform you first of all the 0day I find :)

Roxxxy-Poupee-Robot-Sexuel-True-Companion-01

You can choose different customizable versions: hair color, personality (up to 5 profiles that you can customize even more!), and according to the model it/she can even talk, have some understanding and respond to touch. These features make me think that the robot must have different types of sensors and microprocessors. Also it has USB port, Ethernet and Wi-fi so it also has the ability to communicate (can receive updates via the Internet). The USB must be connected to a Windows computer so that the robot can talk to us.

An interesting concept is that we can give our custom robot personality to other users registered at the company Forum (aka Swingers for robots) temporarily, this means that the robot can replace its personality for a limited time with another one created by other users.

Now with this information, we propose different theoretical/fictitious attack scenarios:

  1. The robot could bring from manufacture some malware implant to compromise the user computer via USB.
  2. It could include a malicious AP, Wifi Pineapple style, inside the robot to carry out further attacks on the network/systems.
  3. An attacker could steal the robot profile (personality) to resell it to the customer (Ransomware).
  4. An attacker could modify the internal engines of the robot to do damage to the customer when “having sex” (although I doubt that the robot has sufficiently powerful engines in the current version).
  5. Nothing is said of the sight (vision) of the robot, but if does have it, you could use the cameras to spy on the user (Hello, NSA!)
  6. Also the robot could be used to record the voice of the customer.
  7. And, with all this information, blackmail the customer to not make public their sexual tastes/tendencies.
  8. An attacker could send a malicious personality to the forum so victims install it on their robots with different purposes.
31400

We talk much about the risks to critical infrastructure, the Cloud, Big Data and the Internet of Things (IoT), but in the coming years the security and risks of robots will become more relevant when they are more and more present in our personal and professional lives…

What additional attacks can you think of? ;)

— Simon Roses Femerling / @simonroses

Posted in Security, Technology, Uncategorized | Tagged , , | 2 Comments

Heartbleed: pain, blood and code

Posted on April 16, 2014 by Simon Roses

All alarms went off last week when a serious security flaw called Heartbleed in the OpenSSL cryptographic library was published. This library is used by a large part of the servers on the Internet as well as much security software.

As it could not be otherwise, the conspiracy theories claim this bug was introduced or abused for some time by the NSA. Anyway, this bug proves that Open Source software isn’t safer if nobody looks at it (it has taken two years to identify this bug!) and if secure development practices are not followed.

I do not know if the OpenSSL team follows any secure development framework but the fact that a single programmer can make changes to the code without any kind of validation ¿? is a much more serious mistake than the bug itself.

It is certainly a severe blow to the Open Source community that is often presented as safer since everyone can read the code. This bug makes clear that just being Open Source isn’t enough.

I will not get tired of repeating it: it doesn’t matter if you are Open Source software or commercial software, if your company only develops software for internal use or has an ISV that develops for you, it will never be secure software if not developed following a secure development framework such as MS SDL, BSIMM or OpenSAMM.

We hope that this bug is a wake-up call for anyone who develops software about the importance of security and investing in it.

I can also confirm that this bug works like a charm ;)

What do you think about this bug?

— Simon Roses Femerling

Posted in Pentest, Security, Technology | Tagged , , , | Leave a comment