Dell, IBM and possible other tech giants should be ashamed

Posted on November 20, 2012 by Simon Roses

In time of crisis there is much speak about entrepreneurship as the engine to lift the economy, or at least in the Spanish crisis. Now well, who assists entrepreneurs?

As readers know I am the founder of VULNEX, a technology startup that offers highly specialized offensive and defensive cyber security services. In recent months I have been talking with tech giants such as Dell and IBM Spain to acquire a few servers that will allow us to improve our platform for R&D and services to our customers.

Obviously the purchase amount is small for these giants but for us it is a significant amount so we are interested in getting financing for the purchase and to our surprise: none of these 2 giants finance startups, they tell us that they only finance companies with more than 2 years of life. INCREDIBLE and SHAMEFUL!

I guess these companies have forgotten their roots and above all how and where they began. In my opinion it is disappointing that they do not even evaluate the project to determine their potential and just say NO. How easy is to say NO to small companies!

Now I understand why Dell has recently presented bad results, with that sales policy it is not surprising. And what to say about IBM, the monster patent…

But hey, so is the world of entrepreneurs, a constant struggle that unfortunately you get used to. Of course in VULNEX we are evaluating other options in order to execute this operation and improve our services despite all.

Be ready for some excited announcements in Q1 of 2013 😉

Dear readers, what is your opinion on the support given by large enterprises to startups?

— Simon Roses Femerling

Posted in Business, Economics, Technology | Tagged , , , | Leave a comment

AppSec USA 2012: the experience

Posted on October 31, 2012 by Simon Roses

You know you are in Texas when you get out of the plane and hear country music through the airport and I was there indeed because the 25 and 26th of October the OWASP AppSec USA conference was taking place in Austin, Texas, where I participated with a presentation on Web Honeypots.

The conference had more than 800 attendees, free and paid courses on different application security topics during the days 23 and 24, and of course an impressive selection of speakers.

My experience as a speaker was unbeatable since the organization, the same people who organized LASCON, put much effort and desire to ensure that everything went well. They even organized a barbecue Texas style for the speakers in a popular restaurant overlooking a lake.

And what to say about the Happy Hour for the entire conference where there was a mechanical bull, super music rapper Dual Core and authentic armadillos for racing, no doubt I was in Texas, yee haw!

With so many talks to choose from too often I did not know which to choose but luckily for us all the videos and slides will be released soon to be able to see them with all the calm and discipline that they deserve.

I had the pleasure of talking about Web honeypots, a topic I find very interesting and with much work to be done. Specifically I talked about a project that I’ve been working for some time and that I have rescued from the trunk of memories and that through VULNEX can devote professional resources 🙂

We can really see how American companies have a different attitude as being more agile as opposite Spanish companies, just see the photo of the Job Board with well-known companies looking for all kind of roles in application security.

From here I would like to thanks the entire organization for the super event and see you at the next appointment AppSec USA 2013 in New York.

Note: In a couple of weeks the videos should be online, I will keep you posted!

Happy Halloween dear readers!

— Simon Roses Femerling




Posted in Conference, Hacking, OWASP, Pentest, Privacy, SDL, Security, Technology, Threat Modeling | Tagged , , , , , , | Leave a comment

Medre, AutoCAD Malware: The spy inside the cad

Posted on July 16, 2012 by Simon Roses

Last June a malware that infected AutoCAD for Windows was identified and is responsible for the theft of thousands of documents. AutoCAD is a popular program for 2D and 3D drawings that is used to design all kinds of products, such as homes, cars, aerospace and in defense, so it is really interesting for industrial espionage. In this post we will study a malware known as Medre.

From a technical point of view is a simple malware, written in AutoLISP and scripts/payloads in VBS, but ingenious since it infects multiple AutoCAD versions in Windows (see Fig. 1) with the aim of stealing files and send them by mail to servers in China.

Fig. 1 – Supported versions of AutoCAD by Medre

In Fig. 2 we can see the Chinese servers where the stolen information is sent, Medre uses various email accounts on these servers. Despite using Chinese servers it is not entirely clear if the source of the attack comes from there.

Fig. 2 – Chinese servers

And in Fig. 3 we can see part of the code responsible for compressing the stolen files using WinRAR by setting the password “1”.

Fig. 3 – WinRAR code

If we think that AutoCAD is one of the most popular design programs that runs on multiple platforms such as Windows, MacOS and mobile (Android and iOS) it calls our attention the ingenious of this attack, simple and effective. Perhaps future malware versions will be multiplatform?

Without a doubt attacks to the industrial fabric either to SCADA systems or using malware like Medre to steal information are really interesting and dangerous to many organizations and Nation-States.

Which industrial espionage malware you found interesting?

— Simon Roses Femerling

Posted in Pentest, Security | Tagged , , , , , , , , , | Leave a comment

“Find And Call” Smartphone Malware Analysis

Posted on July 11, 2012 by Simon Roses

[Español] La semana pasada Kaspersky publicó un artículo sobre un nuevo malware que afectaba a iPhone y Android, y esta App estaba disponible en sus mercados oficiales. Al ser el primer malware que aparece en el iPhone Market he pensado que seria interesante examinarla, así que una vez obtenidas copias de ambas Apps hemos procedido a su análisis.

[English] Last week Kaspersky published an article about a new malware affecting Android and iPhone, and this App was available in their official markets. This is the first malware that appears in the iPhone Market, so I thought it would be interesting to examine it, once obtained copies of both Apps we have proceeded to their analysis.

Este software malicioso de origen ruso recolecta la lista de contactos de nuestro dispositivo y la envía a un servidor sin que el usuario lo haya consentido. Si miramos la Fig. 1 podemos ver parte de la información recogida en su versión Android como nombres, números de teléfono, correos y webs, facebook, skype, etc. Desde luego una buena cantidad de informacion PII.

This malicious software of Russian origin collects the list of contacts of our device and sends it to a server without user consent. If we look at the Fig. 1 we can see part of the information recollected in the Android version such as names, phone numbers, emails and websites, facebook, skype, etc. A good amount of PII.


Fig. 1 – Información recolectada en Android / Information collected on Android

En la Fig. 2 tenemos el código que envía toda esta información al servidor.

In Fig. 2. we have the code that sends this information to the server


Fig. 2 – Enviado al servidor / Submit information to server

La Fig. 3 es la versión maliciosa para iPhone donde hemos buscado la función encargada de recoger y enviar la información.

Fig. 3 is the malicious version for iPhone where we searched for the function responsible for collecting and submitting the information


Fig. 3 – Versión iPhone del malware / iPhone malware version

La Fig. 4 tenemos la función desensamblada para el disfrute del lector 🙂

Fig. 4 we have the function disassembled for the enjoyment of the reader 🙂


Fig. 4 – Función sendPhoneBook desensamblada / sendPhoneBook function disassembled

Como se puede apreciar es un código bastante sencillo pero lo interesante en mi opinión es que la App estaba disponible tanto para IPhone como Android en sus respectivos mercados poniendo de manifiesto lo relajados que son Apple y Google con la seguridad de las Apps.

Cierto es que muchas Apps hacen lo mismo que esta y siguen en los Markets, y que con el tiempo se irán identificando.

As you can appreciate it is a fairly simple code but the interesting thing to me is that the App was available for iPhone and Android in their respective markets becoming apparent how relaxed Apple and Google Apps Security are.

It is true that many Apps do the same and remain in the Markets but eventually they will be identified.

Como curiosidad resaltar que esta App sufre de varias vulnerabilidades como las contraseñas almacenadas en texto claro y canales inseguros ya que toda la información y contraseñas son enviadas mediante HTTP así como otras vulnerabilidades, todo un desastre de desarrollo seguro 😉

En mi opinión es sólo cuestión de tiempo que comencemos a ver malware multiplataforma para iPhone, Android y Windows Phone.

Qué opinas de la seguridad en los Markets?

As a curiosity, just highlight that this App suffers from several vulnerabilities such as passwords stored in clear text and insecure channels since all information and passwords are sent using HTTP as well as other vulnerabilities, a disaster of secure development 😉

In my opinion it is only a matter of time before we begin to see cross-platform malware for iPhone, Android and Windows Phone.

What do you think of security in the Markets?

— Simon Roses Femerling

Posted in Hacking, Security, Technology | Tagged , , , , , , , | Leave a comment

Oh No AIX Security

Posted on July 5, 2012 by Simon Roses

[Español] Pues sí, estimados lectores, recientemente tuve que auditar entornos AIX (ya sabéis, esos UNIX propietarios de IBM), por lo que he pensado que sería interesante exponer una serie de consejos sobre cómo auditarlos.

[English] True, my dear readers, recently I had to perform an audit on AIX systems (you know, those proprietary IBM UNIX), so I thought it would be interesting to expose a series of tips on how to audit them.

Guías de seguridad AIX recomendadas: / Recommended AIX security guides:

AIX Security Expert
AIX Version 6.1: Security
Securing an IBM Aix Server
Hardening your AIX Security
Santosh Gupta’s passion for AIX

Algunos mis consejos para una rápida revisión:

• Revisar los permisos en el directorio /etc
• Revisar y desactivar los servicios innecesarios en /etc/inted.conf, /etc/inittab, /etc/rc.nfs y /etc/rc.tcpip
• Ejecutar el comando oslevel para obtener la versión
• Ejecutar el comando instfix –I | grep ML para ver los parches instalados
• Aunque parezca mentira recientemente salió una vulnerabilidad en Sendmail (CVE-2012-2200)
• Revisar las políticas de seguridad y permisos de Java
• El fichero /etc/motd tiene que incluir un mensaje corporativo
• Determinar si se instaló con TCB, ejecutando: tcbck –y ALL
• Buscar programas con SETUID / SETGID: find / \( -perm -004000 –o perm -002000 \) –type f -ls
• Establecer el umask a los usuarios en /etc/security/user
• Mirar en los directorios de /root y usuarios por certificados privados
• Si tienes licencia de Nessus o Nexpose serán tus amigos, o Metasploit si eres más atrevido 😉

Some my tips for a quick review:

• Review the permissions on /etc directory
• Check and disable unnecessary services in /etc/inittab, /etc/rc.nfs, /etc/inted.conf and /etc/rc.tcpip
• Execute the oslevel command to obtain the version
• Execute the command instfix – I | grep ML to see installed patches
• Oddly enough recently a vulnerability in Sendmail (CVE-2012-2200) was released
• Review the security policies and permissions of Java
• The /etc/motd file must include a corporate message
• Determine if system was installed with TCB, run: tcbck – y ALL
• Look for programs with SETUID / SETGID: find / \( -perm -004000 –o perm -002000 \) –type f –ls
• Set the umask for users in /etc/security/user file
• Look in /root and users directories for private certificates / keys
• If you have a license for Nessus or Nexpose they are your friends, or Metasploit if you’re more daring 😉

Si sabemos Shell Scripting podemos automatizar prácticamente todo el proceso por lo que nuestra labor será más fácil, segura y rápida.

¿Y tú qué utilizas para auditar AIX?

If we know Shell Scripting we can automatize the entire process by which our work will be easier, safer and faster.

What do you use for AIX audits?

— Simon Roses Femerling

Posted in Hacking, Pentest, Security | Tagged , , , , , , , | Leave a comment

Network Intelligence Analysis

Posted on June 20, 2012 by Simon Roses

Analizar tráfico de red es realmente apasionante y para este post he pensado que sería un tema de interés para los lectores. El tráfico aquí analizado es más a modo de hobby cuando estoy en redes públicas/abiertas como hoteles, cafés y aeropuertos 🙂 Tiempo ha pasado desde que trabajaba como analista de IDS pero es un servicio que ofrecemos en VULNEX en materia de ciber seguridad.

Analyzing network traffic is really exciting and for this post I thought it would be an interesting topic to readers. The traffic analyzed here is more as a hobby when I’m in public/open networks as hotels, cafes and airports  Time has passed since I worked as an IDS analyst but it is a service that we offer at VULNEX in cyber security services.

Algunas de las herramientas que utilizo para mis análisis son:
NetworkMiner
Wireshark
Xpico
Snort
• Y herramientas exclusivas de VULNEX

Some of the tools that I use for my analysis are:
NetworkMiner
Wireshark
Xpico
Snort
• And custom VULNEX tools

Una vez capturado el tráfico con vuestro sniffer favorito comienza la etapa de análisis utilizando algunas de las herramientas antes mencionadas. En la Fig. 1 utilizamos NetworkMiner para obtener una rápida idea del tráfico como IP y su sistema operativo, dónde están navegando, obtener credenciales e imágenes así como información diversa.

Once traffic is captured with your favorite sniffer the analysis phase begins using some of the tools mentioned before. In Fig. 1 we use NetworkMiner to get a quick view of IP and operating system, where they are browsing, obtain credentials and images as well as diverse information.

Fig 1 – IPs y Sistemas Operativos / IPs and Operating Systems

Utilizando la misma herramienta podemos observar todas las imágenes capturadas en el tráfico, ver Fig. 2.

Using the same tool we can observe all the traffic captured images, see Fig. 2.

Fig. 2 – Explorando las imágenes capturadas / Exploring captured images

Ahora utilizamos Wireshark, posiblemente el mejor sniffer, para analizar el tráfico capturado utilizando sus potentes herramientas de análisis, ver Fig. 3.

Now we use Wireshark, possibly the best sniffer, to analyze the captured traffic using its powerful analysis tools, see Fig. 3.

Fig. 3 – Wireshark en acción / Wireshark in action

Conclusiones del análisis / Conclusions of the Analysis

A pesar de que el análisis ha sido superficial se ha obtenido una gran cantidad de información que un atacante podría utilizar para realizar ataques más sofisticados y focalizados.

While the analysis was lightweight we have obtained a large amount of information that an attacker could use to perform more sophisticated and targeted attacks.

Hemos obtenido:
• Una gran cantidad de nombres, ahora un atacante podría realizar OSINT.
• Que iPhone seguido de iPads dominan el mercado de dispositivos. No es de extrañar que se pague tanto por exploits en estos dispositivos.
• Fotos personales
• Credenciales
• Sistemas operativos y vulnerabilidades

We have obtained:
• A list of names, now an attacker could perform OSINT on them.
• iPhone followed by iPads dominate the market of devices. It is not surprising that they pay so much for exploits in these devices.
• Personal photos
• Credentials
• Operating systems and vulnerabilities

No está nada mal para un ratito de análisis y a modo de ocio 🙂 Es un ejercicio que recomiendo hacer y especialmente en redes corporativas, ya que muchas veces no se conoce el tráfico que circula por ellas.

Not bad for a little bit of analysis and for leisure 🙂 it is an exercise that I recommend doing, especially in corporate networks where quite often the traffic flowing through them is not known.

Descargo de Responsabilidad: En ningún momento se ha atacado ningún sistema o se ha usado ninguna información obtenida para uso fraudulento.

¿Y vosotros qué herramientas de análisis en redes utilizáis?

Disclaimer: No system has been attacked at any time and no information obtained used for fraudulent use.

What network analysis tools do you use?

— Simon Roses Femerling

Posted in Hacking, Pentest, Security, Technology | Tagged , , , , , , , , , | Leave a comment

Blackhat Europe 2012, MundoHackerTV and More

Posted on April 13, 2012 by Simon Roses

[Español] Llevaba demasiadas semanas sin escribir un post y no puede ser 🙂 La verdad es que estoy bastante ocupado con VULNEX (startup especializada en ciberseguridad) pero he sacado un poco de tiempo para contaros las novedades.

[English] Too many weeks have passed without writing a post and that cannot be 🙂 The truth is that I am quite busy with VULNEX (a cybersecurity startup) but I have taken a little time to tell you some news.

El pasado marzo se celebró el prestigioso congreso Blackhat Europe 2012 en Ámsterdam, en el que participé como ponente con una charla sobre inseguridad en Smartphone Apps, que tuvo muy buena acogida (gracias por el feedback!) y que podéis encontrar aquí.

Last March the prestigious conference Blackhat Europe 2012 was celebrated in Amsterdam in which I did participate as a speaker with a talk about insecurity in Smartphone Apps, which was very well received (thanks for the feedback!) – you can find it here.

Os recomiendo ver las otras ponencias y las herramientas presentadas en el Blackhat Arsenal, muchos temas interesantes!

I recommend you see the other talks and tools presented at the Blackhat Arsenal, many interesting topics!

Por otro lado la gente de MundoHackerTv me hizo una entrevista aprovechando el congreso que estoy seguro será de vuestro interés, ya que contaron con varios ponentes y personal de la organización.

On the other hand the people of MundoHackerTv made me an interview taking advantage of conference that I am sure will be of interest to you as they interviewed several speakers and staff.

Como veis sigo vivo y espero pronto poner un post en condiciones, hasta la próxima 🙂

As you can see I am still alive and I hope soon to put a nice post, until next time 🙂

— Simon Roses Femerling

Posted in Conference, Pentest, Security, Technology | Tagged , , , , , , , , , | Leave a comment

AppSec: Static Application Security Testing (SAST) Free Tool Map

Posted on February 23, 2012 by Simon Roses

[Español] Cuando realizo un análisis de seguridad en una aplicación intento combinar el uso de Static Application Security Testing (SAST) y el Dynamic Application Security Testing (DAST) para obtener los mejores resultados. Dejamos DAST para otro post.

[English] When I’m performing a security analysis of an application I try to combine the use of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) for best results. DAST we leave for another post.

Es cierto que estas herramientas no son perfectas pero hoy en día son una necesidad. Muchos expertos de seguridad están en contra de utilizar estas herramientas alegando que no son útiles pero no es cierto.

It is true that these tools are not perfect but today they are a necessity. Many security experts are against using these tools claiming that they are not useful, but it is not true.

Este tipo de herramientas tienen sus limitaciones pero son de gran ayuda para encontrar algunos tipos concretos de vulnerabilidades de forma rápida y permitirnos dedicar nuestro tiempo a vulnerabilidades más complejas.

Such tools have their limitations, but are helpful to find quickly some specific types of vulnerabilities thus allowing us to devote our time to more complex vulnerabilities.

Aunque existen diversos proyectos gratis que podemos utilizar (los que trato en este post), sin duda si queremos utilizar una herramienta profesional debemos invertir en productos comerciales, que generalmente son herramientas más sofisticadas.

Although there are various free projects we can use (which I cover in this post) no doubt if we want to use a professional tool we must invest in commercial products, which generally are more sophisticated tools.

A continuación podrás encontrar un mapa interactivo de herramientas SAST gratis que puedes utilizar para los desarrollos en tu organización y determinar su seguridad. El uso de estas herramientas debería ser obligatorio en la fase de Implementación del SDLC.

Below you will find an interactive map of free SAST tools that developers in your organization can use and determine its safety. The use of these tools should be mandatory in the Implementation stage of the SDLC.

Existen muchas más herramientas pero las aquí presentadas son en mi opinión algunas de las más interesantes. Si conoces herramientas que deberían estar en el mapa te agradecería que me lo comentaras para incluirlas.

There are many more tools but the here presented are in my opinion some of the more interesting. If you know tools that should be on the map please let me know to include them

Qué herramienta SAST utilizas? Estás contento con los resultados?

Do you use SAST tools? Are you happy with the results?

— Simon Roses Femerling

 Uso del mapa:

  • Sitúa el ratón encima de las herramientas para ver su descripción.
  • Botón derecho para abrir la pagina Web de la herramienta.

Map Legend:

  • Put mouse over the tool to see its description.
  • Righ-click to open the Web page of the tool.

Free SAST Map v.1

Posted in Pentest, SDL, Security | Tagged , , , , , | 2 Comments

VULNEX, up & running

Posted on February 13, 2012 by Simon Roses

[Español] Por fin VULNEX, el proyecto en el que llevo meses trabajando, ha visto la luz aunque sin duda estamos en los comienzos y queda mucho trabajo duro por delante pero con gran ilusión.

[English] Finally VULNEX, the project I’ve been working on for the past few months, has seen the light but undoubtedly we are at the beginning and much hard work remains ahead but with great enthusiasm.

VULNEX nace con la aspiración de ser un proveedor de servicios y formación ofensivos y defensivos altamente especializados para cubrir las necesidades actuales de nuestros clientes. Los tiempos han cambiado y demasiada gente no entiende las nuevas necesidades de seguridad pero VULNEX está para ayudar. Un factor diferenciador es que VULNEX se caracteriza por un fuerte I+D que poco a poco iremos publicando.

VULNEX was created with the aspiration to be a provider of highly specialized offensive and defensive services and training to meet the current needs of our clients. Times have changed, and too many people do not understand the new security needs but VULNEX is here to help. A differentiating factor is that VULNEX is characterized by a strong R&D that we will start publishing soon.

Creemos que VULNEX ofrece algo más a nuestros clientes por lo que os invitamos a visitar la página Web y por supuesto a contactarnos. Nos encantaría colaborar contigo!

We believe that VULNEX offers something else to our customers so we invite you to visit the website and of course contact us. We are looking forward to working with you!

— Simon Roses Femerling

Posted in Business, Pentest, SDL, Security, Technology | Tagged , , , , | Leave a comment

Infiltrate 2012 Report

Posted on January 18, 2012 by Simon Roses
[Español] El pasado 12 y 13 de enero tuvo lugar la segunda edición del congreso ofensivo Infiltrate organizada por ImmunitySec, en cuya primera edición ya estuvimos. A pesar que no todas las charlas fueron tan espectaculares como el año pasado sigue siendo un congreso altamente ofensivo y de cita obligada para cualquier experto en seguridad.  

[English] The second edition of Infiltrate, the offensive conference organized by ImmunitySec, was held last 12
and 13 of January, which first edition we attended as well. Despite the fact that not all talks were as spectacular as last year it is still a must for any security professional since it is a highly offensive conference.  
 
El primer día comenzó con un divertido keynote sobre dos temas: conferencias de seguridad y ciberguerra
(ambas temáticas cubiertas en este blog 1 y 2), y la verdad es que coincido en muchos aspectos con las conclusiones  del ponente. Algunas charlas destacadas del primer día fueron sobre explotación de heap y sandboxing. 
The first day started with a funny keynote on two issues: security conferences and cyber war (both thematics covered in this blog 1 and 2), and the truth is that I agree in many respects with the presenter’s conclusions. Some outstanding talks on the first day were about heap exploitation and sandboxing. 
  
El segundo día el nivel de todas las presentaciones fue altísimo y me gustaron todas. La mejor sin duda fue la de atacar sistemas de tarjetas de acceso por su innovación, aunque recomiendo verlas todas. Las charlas fueron filmadas por lo que creo que estarán disponibles próximamente.  
The second day the level of all the presentations was amazingly high and I liked them all. The best no doubt was attacking proximity card access systems, so innovative, but I recommend watching them all. The talks were filmed so I think they will be available soon. 
 
 Además  qué decir de la ciudad de Miami, un sitio genial para salir de fiesta con otros hackers y pasarlo bien J
 
Sin duda uno de los mejores congresos por sus charlas técnicas y la posibilidad de conocer personas  interesantes, me llevo buenas amistades 😉 
 
Kudos a todo el equipo de ImmunitySec por una excepcional organización y su disposición para que todo salga bien. 
 
 Nos vemos en la tercera edición! 
 
In addition what to say of Miami city, a great place for partying with other hackers and have fun J 
Undoubtedly one of the best conferences for their technical talks and the possibility of meeting interesting people, I’ve made good friends 😉
 
 Kudos to all ImmunitySec team for an exceptional organization and their availability to make sure that everything goes well. 
 
 See you in the third edition!
 
  — Simon Roses Femerling
Posted in Conference, Hacking, Pentest, Security, Technology | Tagged , , , , , , , , , | Leave a comment