Research

One of the sessions I enjoyed at DefCon was Nathan Hamiel and Shawn Moyer’s, “Satan is on My Friends List”. Aside from directly hacking the security of some of these sites, they experimented with creating fake profiles of known individuals and seeing who they could fool. Notably, they created a profile (with permission) for Marcus Ranum on LinkedIn, then tried to see how many people they could fool into connecting to it. Yes, folks, I fell for it. In my case it wasn’t that big a deal- I only use LinkedIn as a rolodex, and always default to known email accounts before hopping into it. But that’s not how everyone sees it, and many people use it to ask questions, connect to people they want to be associated with but aren’t really connected to. Someone behind a fake profile could spoof all sorts of communications to either gather information or manipulate connections for nefarious reasons (pumping stock prices, getting fake references, disinformation campaigns, and so on). All social networks are vulnerable to manipulation, real world or virtual, but when you remove face to face interaction you eliminate the biggest barrier to spoofing. I avoid some of this by only linking to people I know, have met, and have a reason to keep in contact with. If you’ve sent me a link request because you read the blog or listen to the podcast, and I haven’t responded, that’s why. Otherwise it loses any usefulness as a tool for me. One of Shawn’s recommendations for protecting yourself is to build a profile, even if you don’t actively use it, on all the social networks. Thus I now have MySpace and Facebook pages under my real name, tied to a throwaway email account here at Securosis. WIll it help? Maybe not- it’s easy for someone to create another account with my name and a different email address, but after I tie in a few friends that should reasonably draw people to the real me, whatever that’s worth. One unexpected aspect of this was a brief blast of mortality as Facebook splattered my high school graduating class on a signup page. I haven’t really stayed in touch with many people from high school days; in my mind’s eye they were frozen in the youth and vibrance of those few years we felt we ruled the world. Seeing them suddenly years later, long past the days of teenage hopes and dreams, was a visceral shock to the system. No, we’re not all that old, but at 37 we’re far past any reasonable definition of youth. Damn you Mr. Moyer. I can forgive you for mildly pwning me in your presentation, but smashing open my vaulted teenage memories with a lance of reality? That sir, I can never forgive. Share:

During the second day at Black Hat, somewhat depressed by yet another futile attempt to locate coffee and fighting human gridlock, I decided that it was no longer worth the effort and simply sat down in the nearest conference. And I am glad I did as that random selection of presentations turned out to be one of my favorites of the week. The presentation was called Visual Forensic Analysis and Reverse Engineering, presented by Gregory Conti and Erik Dean. I would offer a link for you, but I have been unable to find the slide deck on line. It is on the CD that was included in the Black Hat goodie bag for those of you who attended, and some of the discussion points are located here (http://lcamtuf.coredump.cx/oldtcp/tcpseq.html) The Conti & Dean presentation shows how, by using different graphing techniques, to identify the contents and even reverse engineer binary files. By performing ?dot plots? and ?byte plot? examples of binary files, you can very quickly detect certain patterns within the binary file that tell you what is contained within the file. Much like a human fingerprint, uuencoded content, text, Word documents, bit mapped images, jpegs, compressed files and encrypted files each had a unique visual signature. For files that may contain several items, it was easy to pick out the begining and ending points of blobs within the file, and then examine specific binary objects in more detail. They showed a couple of examples of extracting out image files from a huge binary file in less than 30 seconds. You know you are a geek when: I remember in the early ’90s that when debugging code or core dumps I was often just winging it. You really did not have a valid stack trace, so you were rummaging around memory looking for something unusual, or some pattern that gave you a clue as to what went wrong. It was more art than science, and it was usually some visual clue or something that just did not look right when you found the root cause of the bug. Again in the mid-90s I can remember loading binary files into a text editor to attempt to, ahem, circumvent and ?no-op? out the licensing module which could often be located through a visual inspection. Of course, this was purely for academic purposes. This same technique was effective in hacking video game binaries and save files (slide 46 of the presentation shows a Neverwinter Nights database file as an example). And it was all based upon looking at the binary structure for patterns and experimenting with value substitutions to alter game functionality. But the graphic tools take this to a whole new level. How do you know your PRNG is producing random numbers? During the presentation, the evolution from these early generation tools and methods was discussed, and then they showed off tools that provide different 3 dimensional graphic representation of what data looks like. One of the examples that I was most impressed with was the graphs that show a distribution for numbers. These are examples of PRNG output (http://lcamtuf.coredump.cx/newtcp/). Random? It is not particularly easy to demonstrate the pseudo-random number generator you are producing random numbers, or collecting entropy to see your random number generator. But by graphing them in this way, you can very quickly see if you have reasonably good randomness ? or not close at all. Anyway, I thought this was a very cool forensic tool for binary files. Check out the graphs as they are very impressive. Share:

I ran across this article last week in the Arizona Republic regarding redesign of the Internet. This was very much in line with one of the recurring topics that seemed to be discussed in the halls at Caesars Palace during Black Hat: how might we change the Internet if we were to start from a clean slate? There are clearly many motivating factors to do so, from the fragility and dependency issues of the Internet on DNS as discussed by Kaminisky , email spam , DDOS, use of a basically insecure connectionless protocol for the vast majority of transactions, to encrypting all Internet traffic to keep government and other entities from spying on us, and the list goes on and on. I have not been following the organizations history all that closely nor am I aware of any published research at this time. I will admit to viewing the GENI effort with a bit of skepticism. While the web site FAQ states ‘It is not a replacement for the Internet (or any other communications technology). Rather the purpose of GENI to test and mature a wide range of research ideas in data communications and distributed systems’. Not sure if the intent with the statement is to underscore the intention to build something entirely new, or if this is hyperbole, but it is clearly at odds with the way the project is being marketed as “A massive project to redesign and rebuild the Internet”, which is why it makes news and why US National Sciences Foundation would consider $12 million in funding. This dichotomy makes me worried right off the mark. I always assumed the success of the Internet was because it was a cheaper and faster way to do things. Simple to understand, easy to use, freedom to say what you want, and almost free to participate. Yes, low cost helps, but the organic growth IMO is really about simplicity and freedom. And the more people who participate, the more information available, and more value. A ‘clean slate’ redesign of the Internet will certainly have design goals of greater reliability, accountability and security. These points are on the agenda’s of every Internet redesign discussion I have seen, and they will come with greater control, expense and monitoring of personal activity. The more I think about it, the more I believe what we need is not a new Internet, but one that sits parallel to the one we have today. The Internet we have today works great for sharing information, which is largely what it was indented to do. It was not designed to be secure, keep data private or conduct commerce. If the intention of the GENI project is to provide a secure medium for commerce in parallel, I am all for it. I am not eager to give up what I like about the Internet to solve the security issues at hand. Share:

During a recent eBay auction, when clicking the “Pay Now” button for an item I had won, I was taken off the eBay site, to a third party merchant site. The merchant site was attempting to verify address information and shipping options, and then forward me to PayPal. I tried going back into my eBay account and making the payment directly to PayPal several times, in an attempt to avoid the third-party site, without success. It appears that eBay is allowing third party merchants to insert their own code and web sites into the checkout process. What’s more, this particular merchant page was a mixture of secure and insecure content and some JavaScript. NoScript took care of the issue for me, but it leaves me wondering. I am not sure if it is my heightened sense of post-DefCon paranoia, but this just seems like a bad idea to me. If I were a hacker, wouldn’t I just love a way to insert myself into the payment process? With most security analysis processes, I start by examining trust relationships I can exploit. This tends to be fertile ground for logic flaws, and these trust points tend not to be closely inspected by users. If I can insert myself into an established trust relationship to launch my attack, I am far more likely to succeed, and this seems like an open window for me to do just that. Bogus image tags, XSS, XSRF, inline frames, or whatever attack du jour; it seems like a natural target for inserting myself between these two trusted entities. I am not saying that any particular merchant site is insecure at this time, but I am willing to bet that regardless of any vetting process third parties go through, their security is not uniformly as strong as eBay’s and PayPal’s. In general, I have no relationship with any of the third party merchant software, so I have no reason to trust the sites or their security. I make purchases on eBay with PayPal because I have a basic trust in their sites, processes, and security teams. This trust does not fully extend to every one of their affiliated merchants and third party sites, now and in the future. Not only that, the third party site offers me, the buyer, no added value, only potentially decreased security. From PayPal’s own “Top Ten Safety Tips”, which they provide with the Security Key, tip number nine is “Stay Safe on eBay: … Pay safely using PayPal, the secure payment method that enables you to shop without sharing your financial information with the seller”. But if the merchant has been linked into the process, and you have to go to a merchant site first, it is somewhat at the seller’s discretion. And if the merchant site has been hacked, all bets are off. I sent the question over to eBay and PayPal security and have not received a response, so I wanted to know what the community at large felt about this. Share:

A bit of a different episode this week. Since Martin is traveling, rather than a guest host this week we’re posting the last of the interviews recorded at DefCon- but this one is a doozy. David Mortman, Dave Maynor, Chris Hoff, Robert “Rsnake” Hanson, and Larry Pesce join us immediately after we all finished our DefCon panel. Martin, as the sober one, interviews us as we record what is our first clearly explicit podcast. Yes folks, we hit all 7 dirty words plus a few bonuses. Not to worry, we do include some content as we discuss what we covered in the panel and whatever other topics flew into our adult-beverage-addled brains. We had a heck of a lot of fun putting the DefCon back into DefCon, and we hope you enjoy this little slice of the unfiltered. Yes, this really is an explicit episode, so consider yourselves warned. Network Security Podcast, Episode 116 Length: 24:00 (or so) Share: