The Ten Top Computer Science Papers You Must Read

– thanks for contributing to the list:
@Fare9

#StayAtHome / #StayAtHomeSaveLives

Reader: what other papers you think should be included in this list? Thanks!

@simonroses

Posted in Books, Business, Security, Technology | Tagged , , , , | Leave a comment

Hacker Entertainment for COVID-19 Times

We are facing an extraordinary and very serious situation, so it is necessary for the population to stay at home. Fortunately we live in the information age and many of us hackers are used to being locked up at home since we were teenagers.

In this post I want to propose some hacker-themed ideas to train you and have a good time during confinement and all for free (or almost).

Update: More links and new sections including computer programing, lockpicking and web security.

Makers

Exploit Development and Reverse Engineering

Radio frequency (things you can learn even if you don’t have radios or SDR)

Hacking Challenges: Capture The Flag (CTF)

Web Security

Lockpicking

Computer Programming

Online Training (so many options but I put some interesting ones)

Videos

Books & Zines

I hope you find it useful and your confinement will be more pleasant. With all this material you will be busy for weeks, even months!

#StayAtHome / #StayAtHomeSaveLives

Reader: any proposal to add to this list? Thanks!

@simonroses

Posted in Pentest, Security, Technology, Uncategorized | Tagged , , , , , | Leave a comment

October, European Cyber Security Month 2018: Success or Failure?

Last October was the European Cyber Security Month 2018, an campaign aiming at increasing cyber security awareness across EU citizens promoted by ENISA (European Union Agency for Network and Information Security), each October for the last 5 years. Kudos ENISA.

In this post I take a look on the major security incidents/impacts that did happen in October alone (not counting vulnerabilities, exploits, etc.) I will only focus on breaches, malware, Nation-State attacks and other big incidents (on a side note, Iā€™m including one vulnerability due to its high impact). Certainly, October has been a really interesting month for cyber security.

Please take a look on the following table divided into weeks:

Week (October 2018) Security Incident
1
  • Facebook Breach (50M users affected)
  • Russian spies (GRU cyber operatives) arrested in Netherlands
  • China Backdoor chips in USA
  • 2
  • Google+ Shutdown Due to Security Bug
  • US Pentagon Travel Records Breach
  • 3
  • Branch.io Flaw (685 million users affected)
  • Russian Cyber Vigilante
  • 8 Adult website Breach
  • 4
  • Cathay Pacific breach (9.4M users affected)
  • British Airways Breach (185K users affected)
  • 5
  • Nothing? (that we know of) šŸ˜‰
  • Wow, some of these security incidents have got a lot of media coverage such as the Russians Spies, China backdoor chip in the USA and airlines breaches, just to mention a few. All these security incidents were published in October, crazy!

    Chances are I have missed some big security incident that happened in October, so if Iā€™m missing something, please let me know to update post, thanks!

    I think cyber security is improving a little bit every year, but itā€™s clear much more work needs to be done! Less talk and more action (resource investment) is what cybersecurity really needs.

    So the question remains: is cyber security awareness improving or not? What do you think?

    SRF

    Posted in Privacy, Security, Technology, Uncategorized | Tagged , , , | Leave a comment

    Book Review: PoC||GTFO

    Yes, Iā€™m back to blogging and doing a book review. I guess better late than never šŸ™‚

    This time Iā€™m reviewing the holy hacker book: International Journal of Proof-of-Concept or Get The Fuck Out (PoC||GTFO, ISBN-13: 978-1-59327-880-9). The book sums the best articles from hacker magazine PoC||GTFO, so you can read the journal for free. But I still recommend that you buy a copy of the holy book. The publisher, No Starch Press, even allows you to copy articles from the book to distribute digitally.

    pocpic

    Let me get to the point: if you are into exploit development, reversing engineering, radio hacking, software backdoor or hardware hacking, this is your book. Honestly any InfoSec Pro should read it.

    The book with a look&feel of the Bible is divided into 8 chapters, and each chapter has several high technical verses on different topics. Depending on your interest you will prefer some verses versus others, as I do, but I recommend reading the entire book, all 772 pages.

    My preferred verses are related to polyglot files, OS exploitation, radio hacking, software backdoors and Linux tricks.

    Some of my tops verses:

  • 1:4 Making a Multi-Windows PE
  • 1:5 This ZIP is also a PDF
  • 2:8 This OS is also a PDF
  • 3:10 Tales of Pythonā€™s Encoding
  • 4:3 This OS is a Boot Sector
  • 5:5 A Flash PDF Polyglot
  • 8:3 Compiler Bug Backdoors
  • 8:7 Stegosploit
  • 8:11 Naughty Signals
  • So go ahead, get yourself a copy now, read it and spread the word of the Lord šŸ˜‰

    Kudos to the authors of Poc||GTFO, editors and all those involved with the magazine and book. Keep the words coming, neighbor!

    What are your preferred verses of the Holy Book?

    Score (1 rose, very bad / 5 roses, very good): 5 Roses (Must read)

    — Simon Roses Femerling / @simonroses

    Posted in Books, Pentest, Privacy, Security, Technology | Tagged , , , , , | 2 Comments

    Mirai DDoS Botnet: Source Code & Binary Analysis

    Mirai is a DDoS botnet that has gained a lot of media attraction lately due to high impact attacks such as on journalist Brian Krebs and also for one of the biggest DDoS attacks on Internet against ISP Dyn, cutting off a major chunk of Internet, that took place last weekend (Friday 21 October 2016).

    Besides the media coverage, Mirai is very interesting because we have both binary samples captured in the wild, but also because the source code was released recently – for sure we can expect many variants of Mirai code soon. Having both binary and source code allows us to study it in more detail.

    It is quite amazing that we are in 2016 and still talking about worms, default/weak passwords and DDoS attacks: hello Morris Worm (1988) and Project Rivolta (2000) to mention a few.

    Source Code Analysis

    We have compiled Mirai source code using our Tintorera, a VULNEX static analysis tool that generates intelligence while building C/C++ source code. This gives us the big picture fast.

    From Tintorera we get an application detail summary counting compiled files, lines of code, comments, blanks and additional metrics; Tintorera also calculates the time needed to review the code. Mirai is a small project and not too complicated to review. (Figure 1)

    srf_mirai_sc1
    Figure 1

    Mirai is using several functions from the Linux API, mostly related to network operations. (Figure 2)

    srf_mirai_sc2
    Figure 2

    In the Tintorera intelligence report we have a list of files, functions names, basic blocks, cyclomatic complexity, API calls and inline assembly used by Mirai. By examining this list we can get an idea of the code. (Figure 3)

    srf_mirai_sc3
    Figure 3

    In file killer.c there is a function named killer_init that kills several services: telnet (port 23), ssh (port 22) and http (port 80) to prevent access to the compromised system by others. (Figure 4)

    srf_mirai_sc4
    Figure 4

    In same file, killer.c, another function named memory_scan_match search memory for other Linux malwares. (Figure 5)

    srf_mirai_sc5
    Figure 5

    In file scanner.c function named get_random_ip generates random IPs to attack while avoiding a white list addresses from General Electric, Hewlett-Packard, US Postal Service and US Department of Defense. (Figure 6)

    srf_mirai_sc6
    Figure 6

    Mirai comes with a list of 62 default/weak passwords to perform brute force attacks on IoT devices. This list is setup in function scanner_init of file scanner.c. (Figure 7)

    srf_mirai_sc7
    Figure 7

    In main.c file we can find the main function that prevents compromised devices to reboot by killing watchdog and starts the scanner to attack other IoT devices. In Figure 8 we see a callgraph of file main.c

    srf_mirai_main_callgraph
    Figure 8

    Mirai offers offensive capabilities to launch DDoS attacks using UDP, TCP or HTTP protocols.

    Binary Analysis

    Now letā€™s move to binary analysis. So far we have been able to study 19 different samples obtained in the wild for the following architectures: x86, ARM, MIPS, SPARC, Motorola 68020 and Renesas SH (SuperH).

    For the binary analysis we have used VULNEX BinSecSweeper platform that allows analyzing binaries among other things/files in depth combining SAST and Big Data.

    In Figure 9 we see a chart showing all the files magic to give us an idea of the file types/ architectures. All samples are 32 bits.

    srf_mirai_bin2
    Figure 9

    By using BinSecSweeper we obtained a lot of information for each sample, similarities between them and different vulnerabilities. Currently not many Antivirus identify all the samples, so beware what Antivirus you use! In Figure 10 we have a visualization of file sizes in bytes.

    srf_mirai_bin1
    Figure 10

    We analyzed all section names in the samples and Figure 11 is the result.

    srf_mirai_bin3
    Figure 11

    As mentioned before the samples are for different architectures so in this post we are not showing you the code analysis results.

    We have updated BinSecSweeper analysis engine to identify Mirai malware samples. A full binary analysis report is available from VULNEX Cyber Intelligence Services to our customers, please visit our website or contact us.

    Conclusions

    Despite being a fairly simple code, Mirai has some interesting offensive and defensive capabilities and for sure it has made a name for itself. Now that the source code has been released, it is just a matter of time we start seeing variants of Mirai.

    Mirai Botnet is a wakeup call to IoT vendors to secure their devices. Unfortunately millions of devices have been already deployed on Internet and there are insecure by default, so embrace yourself for more IoT attacks in the near future.

    What do you think about IoT security?

    — Simon Roses Femerling / Twitter @simonroses

    Posted in Privacy, Security, Technology | Tagged , , , , , , | 4 Comments

    Fristileaks 1.3 CTF Writeup

    This vulnerable VM is a fun and simple CTF that can be downloaded from the awesome portal VulnHub.

    Note: For vmware you may need to set the MAC address to 08:00:27:A5:A6:76 to get it working. I did, see Fig 1.

    srf_fristileaks_1

    Letā€™s get ready to rumbleā€¦

    As I knew the IP address letā€™s launch an nmap scan. From the scan we can see only 1 open port (HTTP) and the robots.txt file with some folders.

    srf_fristileaks_2

    Letā€™s open the website.

    srf_fristileaks_3

    Nothing interesting so far. Now letā€™s try robots.txt

    srf_fristileaks_4

    In these folders we only find a picture of Jedi Obi-Wan Kenobi and nothing else.

    srf_fristileaks_5

    Giving some thought and this is the fristi game, we arrive to the following URL; a login/password admin portal.

    srf_fristileaks_6

    Letā€™s check the HTML source code, we can find that the image is encoded in Base64 and also a possible login name: eezeepz

    srf_fristileaks_7

    Looking more closely at the HTML source code we find another potential base64 encoded text.

    srf_fristileaks_8

    Letā€™s put the base64 encoded text into a decoder like Burp Proxy. We see a PNG header. Sounds like an image!

    srf_fristileaks_9

    Letā€™s write a Python script to obtain the image.

    srf_fristileaks_10

    Open the image and looks to me a password ļŠ

    srf_fristileaks_11

    So now we have a login and a password. Letā€™s continue!

    srf_fristileaks_12

    Great, we have log in into the portal.

    srf_fristileaks_13

    We can upload an image.

    srf_fristileaks_14

    Why not a webshell? šŸ™‚ I modify one of Kali webshells to set my IP address.

    srf_fristileaks_15

    Upload the webshell but an error happens. Some kind of filter!

    srf_fristileaks_16

    Letā€™s fire up Burp Proxy to bypass the filter, change the filename to add a png extension.

    srf_fristileaks_17

    Great, filter bypassed and we have a webshell uploaded.

    srf_fristileaks_18

    Letā€™s call our webshell

    srf_fristileaks_19

    Remember before calling the webshell to set up a Netcat listener! Awesome, we got shell šŸ™‚

    srf_fristileaks_20

    Good place to start is checking the web app code, PHP in this case. In /var/ folder we can see a /fristigod/ folder by fristigod user, interesting.

    srf_fristileaks_21

    Poking around /var/www/ folder we find a notes.txt file.

    srf_fristileaks_22

    In /home/ folder we see several users.

    srf_fristileaks_23

    Moving to /eezeepz/ folder we find another notes.txt file with an interesting message. We can execute commands, great!

    srf_fristileaks_24

    Letā€™s execute a command so we can access /admin/ folder by using the /tmp/runthis file trick.

    srf_fristileaks_25

    Inside /admin/ folder we see a bunch of interesting files.

    srf_fristileaks_26

    We got some encrypted files and a Python script used to encrypt the files.

    srf_fristileaks_27

    Time for more Python scripting, letā€™s modify the encrypt script to decrypt the files.

    srf_fristileaks_28

    Now we have some passwords, letā€™s change our user to fristigod user. Remember one of the encrypted files was ā€œwhoisyourgodnow.txtā€. We donā€™t have a real terminal so letā€™s get one, a good cheat sheet here.

    srf_fristileaks_29

    Moving to /fristigod/ folder reveals nothing.

    srf_fristileaks_30

    Recall in /var/ folder we had a /fristigod/ folder, letā€™s check that folder and we can find some interesting files, a root binary we can execute!

    srf_fristileaks_31

    Checking the .bash_history file we learn how to execute the previous root binary.

    srf_fristileaks_32

    Time to see the /root/ folder content by using the root binary we can execute.

    srf_fristileaks_33

    Jackpot! We got root shell and the Flag šŸ™‚

    srf_fristileaks_34

    Kudos to the author for this fun CTF!

    Did you get root shell and the Flag by using other tactics?

    — Simon Roses Femerling / Twitter @simonroses

    Posted in Pentest, Security, Technology | Tagged , , , , , | Leave a comment

    Equation APT analysis using Security Data Science platform: BinSecSweeper

    As many readers already know, at VULNEX we have been working on our BinSecSweeper project whose development began in 2013 thanks to an award by US DARPA within its pilot program Cyber Fast Track (CFT) and we were the only Spanish startup to win a research award. In May 2014 I was invited to The Pentagon by DARPA to present my project, together with the other CFT participants. It was a unique and awesome experience!

    Since then BinSecSweeper has changed in every way possible due to a strong engineering effort. With the rise of so many APT, I thought it would be interesting to analyze using Data Science techniques a recent APT that has gained a lot of media coverage: Equation APT Group.

    For this analysis, I have got 419 Windows executables of this APT that we will proceed to examine with BinSecSweeper, let’s look at the results!

    In Fig. 1 we have the project dashboard and we can see a summary of the analysis. BinSecSweeper has identified malware and high-risk vulnerabilities establishing a severe threat level alert (based on the US Homeland Security System). It draws our attention to different characteristics of the executables such as Packers, Personal Identifiable Information and binary similarities.

    binsecsweeper_Online1
    Fig. 1.

    In metrics (Fig. 2) we see more details of the analysis, the metric that most interests us, at least to me, are the risks identified and the number of affected files. BinSecSweeper has identified interesting risks in this APT.

    binsecsweeper_Online2
    Fig. 2.

    In BinSecSweeper we can deepen the analysis of one, several or all files, but for this high-level analysis our current objective is to obtain the big picture. So let’s look at the analytics data, a very powerful tool, see Fig. 3.

    binsecsweeper_Online3
    Fig. 3.

    BinSecSweeper offers stunning graphics that help us to understand data very quickly and visually. In Fig. 4 we see a visualization of the entropy of the binaries. Most binaries are around 0.80 with some binaries in the 0.65 and 1.00 ranges.

    binsecsweeper_Online4
    Fig. 4.

    In Fig. 5 we can see the different types of binaries and should call our attention that most files are DLL and there is also one Driver, no doubt a file we should analyze in more detail.

    binsecsweeper_Online5
    Fig. 5.

    In Fig. 6 we see a very interesting metric, section names of the executables. It helps us to identify suspicious sections and packers.

    binsecsweeper_Online6
    Fig. 6.

    Fig. 7 is related to the previous metric, in this case we have the number of sections. There is a file with 10 sections.

    binsecsweeper_Online7
    Fig. 7.

    The following metric (Fig. 8) we have the number of imported libraries by the executables.

    binsecsweeper_Online8
    Fig. 8.

    Imported functions of the executables are interesting to understand functionality. In Fig. 9 we have this metric, specifically the Top 15 functions.

    binsecsweeper_Online9
    Fig. 9.

    We can also see the exported functions, Fig. 10.

    binsecsweeper_Online10
    Fig. 10.

    In Fig. 11 we see the identified compilers. It is interesting to understand the tools used by the APT authors.

    binsecsweeper_Online211
    Fig. 11.

    The last metric that we are going to see is the compilation timestamp of the executables organized by years. Clearly in 2008 the authors were very busy.

    binsecsweeper_Online212
    Fig. 12.

    Very quickly and easily we have obtained a good understanding of this APT without entering into complex/costly analysis or reverse engineering, which would be our next step.

    Today, with millions of malware circulating and the complexity of software, it is necessary to have in our arsenal powerful analysis tools such as BinSecSweeper, which uses advanced Data Science techniques to analyze the security and privacy of software.

    Perhaps it would be interesting to analyze all antivirus with BinSecSweeper šŸ˜‰

    Hasta la vista Baby, I’ll be back soon with more analysis ļŠ

    For more information about BinSecSweeper you can contact us at BinSecSweeper@vulnex.com

    Does your organization use Security Data Science? What would you like to analyze?

    — Simon Roses Femerling / @simonroses

    Posted in Privacy, Security, Technology | Tagged , , , , , , , | Leave a comment

    A Security Breach Can Hurt You, More Than You Think!

    Week after week we read about security breaches in top websites around the world, where millions of userā€™s data are exposed and the company not even reply with an apology. Until now nobody in management (your typical C-level) assumed any responsibility of the breach, many times due to lack of security, but this tendency is starting to change.

    Some CEOs have step down due to high profile security breaches such as Target in 2014 and infamous Ashley Madison just recently, July 2015. Management needs to start speaking cybersecurity and assume responsibility of security breaches.

    A security breach can really hurt you – take for example Ashley Madison attack. 36 millions of users data exposed – but letā€™s be honest, although many of these users were fake profiles, anyway many real users were still affected by the breach. The problem for Ashley Madison is not the attack itself but what has been reveled: the company had plans to go public but by examining the data it looks it was a scam, ouch.

    Another recent high profile security breach has been Hacking Team, a security company that develops offensive solutions for LEA and has been selling their products to oppressive regimes worldwide. Hacking Team was a known company for a while of suspicious activities but was not confirmed until a security breach revealed 400 gigabytes of their data containing products source code, client contracts, emails, and much more, the dark side of this company. Really ouch!

    MBA schools need to start including cybersecurity awareness into their courses so management understands the problems and how to deal with them. It is not enough to have a good CSO/CSIO these days; management needs to be involved 100%, if not a security breach could hurt your company.

    Should high management be involved in cybersecurity matters?

    — Simon Roses Femerling – @simonroses

    Posted in Security, Technology | Tagged , , , | Leave a comment

    Race to 0day in Nation State Operating Systems

    Operating System change is comingā€¦

    We all know that Windows still dominates the desktop arena with Linux and MacOS trying to catch up and that Android dominates the mobile space with iOS and Windows Phone trying to catch up as well. What many of these OSs have in common is that they are developed by USA companies (hello NSA!).

    With the silent (or not that silent šŸ™‚ cyber guerrilla going on in the Internet between the West and the East it is not surprising that many Nation States are developing their own operating systems to cut the dependency on USA software vendors.

    The Sony cyber attack by North Korea (supposedly, not proven yet) has caught a lot of media attention -even President Obama has spoken about the need of increasing cybersecurity- and to make things more interesting the operating system used by North Korea government was leaked on Internet and it is currently being analyzed by many security companies and intelligence agencies to find 0day.

    Several Nation States have announced the development of their own ā€œsecure (cough)ā€ operating system, the ones I know of:

    • Red Star OS: Linux based (Red Hat) with a Windows XP look & feel used by North Korea.
    • China: Several custom OSs.
      • COS: China Operating System based on Linux for mobile devices.
      • Kylin: First version was based on FreeBSD but current version is based on Ubuntu.
    • Russia: Several custom OSs.
      • RoMOS: A customized Android OS for mobile devices (this OS doesnā€™t send any information to Google).
      • Linux: Russia government announced switching to Linux as the national OS this year.
    • France: Not really their own operating system but the French military switched to Linux Ubuntu (allegedly to save money).
    • India: Also announced their own secure OSs (not much details published).
    • United State of America: Several custom OSs.
      • The Defense Information Systems Agency (DISA) is developing a secure version of Android to be used in mobile devices across the government.
      • Plan X: An OS develop by DARPA to be used by the military for cyber warfare operations in real time.

    The fact that Nation States are developing their own customized OS for defensive purposes forces adversaries to obtain copies of these OSs to find 0day if they want to perform offensive actions, so we can expect the 0day market to grow in the incoming years for exploits and rootkits in all of these Nation State OSs.

    There is a good chance for Nation States counterintelligence to publish fake OSs and software pretending to be the real thing for adversaries so they waste their resources trying to obtain copies and time analyzing the software or why not putting offensive software inside the OS to attack the systems used to analyze the software and compromise the network.

    For sure security companies and intelligence agencies from both sides (West and East) must keep an eye on the technologies used by their adversaries and have ready a bunch of 0days on these OSs as the standard/regular Windows, Android and Linux versions will probably go away.

    Nation States not putting enough resources to develop their offensive capabilities will be unable to perform any actions against adversaries that use custom OSs in the future.

    Reader: If you know any more Nation States OS, please let me know and if you got copies of any of them send them my way, please!! (Already got Red Star OS, thanks)

    What do you think of Nation States developing their own OSs?

    — Simon Roses Femerling | @simonroses

    Posted in Privacy, Security, Technology | Tagged , , , , | Leave a comment

    Cyber Intelligence Universe

    In recent years all ā€œcyberā€ is fashionable, and intelligence applied to the cyber world could not be less! The concept of intelligence has an offensive meaning due to the use by intelligence and military agencies, but now too many security vendors position their products as intelligence solutions able to identify potential threats.

    With the use of these security products many private organizations “believe” that they are getting intelligence but their vision is very limited:

    1. The intelligence is obtained by the quantity and quality of their sources (many organizations don’t know nor their sources of information).
    2. The human analysis factor is vital (is not about installing a product and expect a detailed report, like everything is automated.)
    3. The focus is just outside threats (Internet) as internal threats do not exist.

    It is funny or sad (depending on how you look at it) when many organizations and security vendors talk about their ability to monitor and analyze systems logs, antivirus, firewall, IDS, Honeypots, etc. to provide intelligence and then they don’t know the number of computers, users or software installed in the organization. Intelligence applied only to the outside is insufficient when internal threats are unknown.

    In VULNEX (disclaimer: cybersecurity startup founded by my) we gave it some thought and developed some solutions that help in this regard, for example BinSecSweeper: a tool to analyze Windows, Linux and MacOS binaries. We can take an operating system and analyze all the binaries to determine their security posture (for example scanning all the 7000aprox binaries in Kali Linux in 30 minutes šŸ˜‰ or determine if software is using obsolete libraries among other things.)

    Software today is not written but composed: programmers use different libraries and commercial or open source code to compose their product in the shortest time possible and push it to market. Organizations use all kind of software without knowing whether it is safe or what is composed of, huge mistake!

    bss1_cap_int_univ
    Fig. 1 – Scanning software with BinSecSweeper, a peak under the hood

    Another need we got in VULNEX is to obtain intelligence from source when doing code audits. These audits are complex, long and usually limited in time so it is necessary to obtain valuable information to focus on the work. In this sense we have developed Tintorera, a plugin for GCC that, while we compile a project in C, performs an analysis that helps us understand the code without having read the source itself. At this point we are not looking for vulnerabilities, but we do want to understand the relationship between functions, code metrics, complexity, and other parameters that help us be more effective to scrutinize the code and find vulnerabilities. Intelligence applied to source code! ļŠ

    tintorera1
    Fig. 2 – Tintorera report

    tintorera2
    Fig. 3 – Tintorera Graph

    If you believe that your organization is doing cyber intelligence, think again and really determine your analysis capabilities and what is your vision that surely are not as good as you think…

    No doubt much remains to be done in the Cyber intelligence at both internal and external sources to obtain a real and global view of threats.

    Does your organization have a cyber intelligence program?

    — Simon Roses Femerling @simonroses

    Posted in Pentest, Security, Technology, Threat Modeling | Tagged , , , , | Leave a comment