Saturday, 17 September 2011

Seeing if there is interest in a free technical video lecture series

Some time back I posted a paper at SANS on the topic of analysing and reversing packed malware.

The paper was focused on reversing NsPack (a common packer) in particular. If I have enough interest, I was thinking of creating a free video lecture series covering the technical aspects of reversing malware.

This will cover debugger use, ASM on Intel, packing and inline analysis of code and even how to inject your own controls into malware and change its behavior.

So, let me know if you are interested.

Security Awareness and Training

Many issues in security come from a combination of a lack of care and awareness. Even a lack of care can be seen as a consequence of a lack of awareness.

If we take the issue of the TDSS botnet mining Bitcoins, many users see this as little more than an inconvenience. They do have issues with lost system performance as their CPU cycles to 100%, but the theft through the botnet’s mining of the coins is seen as somebody else’s problem.

Fraud impacts us all.
It is not simply some nebulous company out there and a nameless victim, we all suffer when criminals prosper.

Organizations are becoming increasing dependent on their information systems in order to function effectively. Therefore, the availability of their information systems, the integrity of their data and the confidentiality of corporate information are becoming critical. Even a loss to a criminal group of CPU cycles and bandwidth matters.

In most organizations, the education required and the need for good security controls and procedures have fallen way behind. Users of information systems often see security processes as punitive and unnecessary. Developers see controls as restrictive and counterproductive in their efforts to develop and introduce systems.

User awareness of security-related issues is becoming an essential component of an effective security program. In the nineteen seventies and eighties, centralized administration did not require as much training and communication for the end user community. Security issues were mostly addressed by MIS and security personnel. From the nineties on however, with the proliferation of client/server applications and decentralized data, it has become increasingly more important that a good and effective security awareness program be part of an overall security implementation.

Security awareness training is required to emphasis the need for security and effective controls in the development and use of information systems. Users of these systems must be educated in the positive benefits of information security and the fact that security measures can actually save time and money by reducing the numbers of errors and accidents which form the bulk of threats to information systems. The additional benefit of security awareness training is the introduction of the 'ethos' of good practice and will flow on into other areas of your organization. A greater understanding of information systems, how to use them and how to gain access to them will reduce the overhead on support services.

For any information security awareness and training program to be successful, detailed planning is essential. The planning of awareness and training programs must consider the whole life cycle from the beginning of the process to completion. The following seven steps as developed in the NIST CSAT[1] program may serve as a starting pointing the development of the program:

  1. The programs Scope, Goals, and Objectives need to be identified;
  2. The program trainers need to be selected;
  3. Target audiences within the organization need to be selected;
  4. Motivational goals for all members of the organization are defined;
  5. The program is implemented;
  6. A routine of regular maintenance will keep a program up to date
  7. Periodic evaluations need to be done on the program to maintain IT relevance.
The process requires the completion of the following tasks:
  1. Establishing the organizational culture (and the associated risk environment);
  2. Identifying the organization’s risks;
  3. Analysing the risks as identified;
  4. Assessing or evaluating the risks;
  5. Treating or managing the risks (using cost / benefit frameworks);
  6. Monitoring and reviewing the risks and the risk environment; and
  7. Continuously communicating and consulting with key parties.
The key risks associated with the training and awareness process include:
  1. Awareness levels are inadequately raised during either induction activities or subsequent awareness sessions;
  2. Policies and procedures are not being updated;
  3. Information security training fails to provide staff with an adequate level of skills to handle the security needs of the organization
  4. Awareness sessions are not adequately focused on the policies procedures and standards of the organization;
  5. Senior management do not support the awareness and training regime adequately
  6. Awareness or training activities are not maintained and kept current.
  7. Internal politics reduce the effectiveness of the program.
Failure to mitigate the risk associated with poor awareness and training techniques increases the likelihood and exposure to other risks within the organization. It is difficult to enforce controls on systems when staff are either unaware of the requirements or in adequately trained in securing those systems. Is important to remember that the success of the organization’s information security strategy requires all personnel to have sufficient knowledge of the awareness requirements of the organization and that key personnel maintain key competencies in their areas of the ISMS.
To achieve this is necessary to:
  1. Determine the necessary competencies within the organization,
  2. Provide awareness sessions and training for staff,
  3. Evaluate the effectiveness of awareness and training sessions on a regular basis,
  4. Maintain sufficient training records on the experience skills and qualification of staff to enable the recognition and analysis of weaknesses within the organization.
Awareness Programmes need to be implemented to be effective
Management needs to facilitate awareness, training and education strategies with their organization. Good awareness processes and management support will help in the overall security of an organization as:
  1. An organization’s personnel cannot be held responsible for their actions unless it can be demonstrated that they were aware of the policy prior to any enforcement attempts,
  2. Education helps mitigate corporate and personal liability, avoidance concerning breaches of criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement,
  3. Awareness training raises the effectiveness of security protection and controls; it helps reduce fraud and abuse of the computing infrastructure and increases the return on investment of the organization’s spending on both information security as well as in computing infrastructure in general.
In most organizations, the level of education required, as well as the need for good security controls and procedures have fallen way behind the requirements. Users of information systems often see security processes as punitive and unnecessary. Developers see controls as restrictive and counterproductive in their efforts to develop and introduce systems. An initial security awareness workshop developed at management level for the security personnel and the security governance team is a good initial phase with which to identify business requirements, the security key threats and perils that must be addressed, and to develop a management plan to meet these new challenges.


[1] NIST Computer Security Awareness and Training (CSAT)
An Introduction to Computer Security: The NIST Handbook (Special Publication 800-12)
This text has been taken, rewritten and modified from some other books and writings of my own.

Things that make you go ummm!

Loading from Live by Microsoft this morning I received an interesting error in FireFox in regards to the certificates...

Something to investigate.

Friday, 16 September 2011

Cyber (Crime / Espionage / Terror)


Lecture 1 of the lecture series from Charles Sturt University: Cyber (Crime / Espionage / Terror) in the 24 part series is now up (it is free). Lecture 2 will follow in the coming days.



Webinar 3 - Cyber (Crime / Espionage / Terror)




Cyber (Crime / Espionage / Terror)

Join us for a Webinar on September 23


Space is limited.
Reserve your Webinar seat now at:
https://www2.gotomeeting.com/register/424430178

Lecture 3 in a series of 24.
We have just seen the largest cyber espionage incident in recorded history and it is only set to get bigger. The rise of cyber based groups engaging in hactivism is creating chaos, but it is only the start as these groups start to do more damage. Al-Qaeda and other pure terror groups have been on the back foot unable to leverage the social aspects of Web 2.0, but will this change as groups such as Anon and LulzSec define a distributed model for social malfeasance?

Add to this criminal controlled botnets of millions of zombie hosts and the decade is set to be the decade of the hack!

In this lecture, we focus on Cyber Crime. This will be the Second of 4 lectures detailing the rise and development of cyber crime and its links to traditional criminal enterprises (including the drug trade, prostitution and smuggling). We cover the use of cybercrime in terror funding this lecture.

Presented by Dr Craig Wright of Charles Sturt University [1] and the Global Institute for Cyber Security + Research [2].

1. Http://www.csu.edu.au
2. Http://www.gicsr.org

Title:
               

Cyber (Crime / Espionage / Terror)

Date:
               

Friday, September 23, 2011

Time:
               

7:00 PM - 8:00 PM AEST

After registering you will receive a confirmation email containing information about joining the Webinar.

System Requirements
PC-based attendees
Required: Windows® 7, Vista, XP or 2003 Server

Macintosh®-based attendees
Required: Mac OS® X 10.5 or newer









Grep and the Art of RegEx

Grep becomes a truly powerful forensic search tool when matched with Regular Expressions (RegEx).

In this lecture segment, we show a few key examples as to how GREP and RegEx can be used to search raw image files for Email addresses, Credit Card numbers, IP addresses and URLs and far more.

http://www.youtube.com/user/CraigSWrightCSU#p/a/u/0/a7OkqhcmCSg

Wednesday, 14 September 2011

Electronic Espionage

The UK differs from the United States with its efforts at codification through the Restatement and Uniform Trade Secrets Act[1] to introduce a legislative set of controls preventing electronic espionage. The English law as it relates to a breach of confidential information is exclusively derived from the common law as it has evolved through the cases. A duty of confidence arises when confidential information comes to the knowledge of an individual in circumstances where it would be unfair were that information to be divulged to another. This could be a result of the receiver of the information being on notice, or having an agreement, that the information was to be so handled. A breach of confidence is the contravention of a duty which can result in a civil action[2]. Breach of confidence will regularly occur in association with the disclosure of data with a commercial value. It can also comprise of personal information regarding individuals.

Breach of confidence is complex. It enlarges to “reflect changes in society, technology and business practice[3]. Furthermore, Art. 8 of the European Convention on Human Rights (concerning the right to privacy) have expanded the available actions connected with a breach of confidence to include safeguarding against the misuse of private information[4]. Under English law, it is required the plaintiff proves three things in order to succeed in an action for a breach of confidence:

  1. the information must be confidential, but does not apply to information which is trivial[5];
  2. the information was provided in circumstances importing an obligation of confidence;
  3. there must be an unauthorized use or disclosure of the information, and, at least, the risk of damage[6].
The jurisdictional basis in English law of the action for breach of confidence is unclear. The foundation most regularly relied upon is contract[7]. Frequently the parties will have incorporated express terms relating to confidentiality, but the courts have also commonly acted on the basis of an implied confidentiality provision in an existing contractual relationship. The courts have also created an equitable obligation of confidentiality autonomous of any contractual relationship. This obligation applies to the initial beneficiary of the information, and to third parties who receive unauthorized disclosures of confidential information. This has also been used in addition to a contractual obligation, and at times in substitution for a contractual obligation.

The duty that confidence should be preserved may be outweighed by a variety of other civic causes. These call for disclosure in the public interest. Either the world at large or the appropriate authorities should be informed. It is generally necessary for a court to seek equilibrium for the protection of the public interest. This balance is judged in placing confidentiality against a use or disclosure that favors society and creates quantifiable gains[8]. Disclosure of confidential information will not be reserved where there is a ‘just cause or excuse for disclosing it’[9].

An ISP or ICP needs to consider both the public interest as well as the need to protect client data. Failing to safeguard the interests and data of their clients increases the risk to the intermediary. This risk comes from damages in civil actions if the intermediary is found liable. This issue is a particular concern for ICPs (who have some obligation unless explicitly excluded in contract) and particularly service providers specializing in the provision of security services. These providers are contracted to ensure that the security of their clients is maintained and are open to actions in both contract and negligence if they fail in their duties.

The appropriate law of a contract is the system of domestic law that defines the obligations assumed by the parties to the contract. International law does not thoroughly define the requirement needed in a contract. The status is clearest where the parties have explicitly chosen the law that will apply in the contract. The parties may expressly choose the body of law, which will apply to all or part of their contract including offer and acceptance.

The UK requires that the parties must expressly choose to include the Hague Uniform law (Art.3, s.1 (3) Uniform Laws on International Sales Act 1967) [ULIS] in the contract terms before it applies to the sale of goods. This can if included have an impact on the process of offer and acceptance. Where there is knowledge of the residence or place of business of the contracting parties who each exist in a different state, several results arise in the case of a web site operation (for instance). Either “the contract concerns the sale of goods which are to be carried from one state to another or the acts constituting offer and acceptance have been effected in different states or the goods are to be delivered to a state other than that where the acts constituting offer and acceptance have been effected” [10].

Complications may occur if parties reside in a different state from where they hold their e-mail (Hyde v Wrench 1840) or other accounts. Treitel also notes that the communication of acceptance determines the time and place at which the contract is created. The general rule is that a contract is formed at the time and place that the acceptance is received, unless accepted by post, in which case the contract is formed at the time and place of postal of the acceptance. In cases such as this, the location the e-mail is accessed becomes an issue and the time at which the acceptance is made are both critical points. The place where the user accesses their e-mail may affect the acceptance. In many jurisdictions, the time and place of receipt of a message derives from when it is available to the recipient (Art.1335 Italian Civil Code; US: Restatement 2d of Contracts, S 56; Germany: case RGZ 144, 292). In the case of e-mail, the time it is available to the recipient is when it arrives on the client’s mail server. In this way, the timing and even validity of an offer and acceptance to a contract may come into dispute and may even come into effect in two or more places (Apple Corps Limited v Apple Computer, Inc. [2004]).

One of the greatest difficulties arises as an ISP or content hosting operator will clearly not be in a contractual relationship with the owner of the confidential information. The equitable doctrine, imposing an obligation of confidentiality in respect of information which the recipient knows or ought to have known to be confidential, and further which was proffered under circumstances implying confidentiality may be appropriate in selected circumstances. Nevertheless, it is clear that there remains a substantial dilemma for the plaintiff in proving that such an obligation exists. This would be predominantly true where an ISP or ICP declares unawareness of what content was on the site.



[1] The Restatement and Uniform Trade Secrets Act (1985) USA. “In view of the substantial number of patents that are invalidated by the courts, many businesses now elect to protect commercially valuable information through reliance upon the state law of trade secret protection. Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470 (1974), which establishes that neither the Patent Clause of the United States Constitution nor the federal patent laws pre-empt state trade secret protection for patentable or unpatentable information, may well have increased the extent of this reliance”.
[2] Lord Nicholls in Campbell v MGN Ltd [2004] A.C.457 at 464-5 summarized the law of confidence as “[the imposition] of a duty of confidence whenever a person receives information he knows or ought to know is fairly and reasonably to be regarded as confidential”
[3] Douglas v Hello! Ltd [2001] QB 967, per Keene LJ.
[4] Campbell v MGN Ltd [2004] A.C.457
[5] Faccenda Chicken Ltd v Fowler [1987] Ch. 117
[6] Coco –v- AN Clark (Engineers) Ltd. [1969] RPC 41; Murray –v- Yorkshire Fund Managers Ltd [1968] 1 WLR 951. See generally Clerk & Lindsell on Torts, 19th edition (2006), Chapter 28, paragraphs 28-01 and 28-02
[7] The formation of electronic contracts subsists as a subset of all contractual formation. By their very nature and as it is expressed in a large number of contractual disputes which occur every year without dispute as to the content of the contract, contracts are uncertain. Thus it must logically follow that there will always remain a level of uncertainty in electronic contract formation. At best, if all uncertainty associated with the electronic nature of a contract was removed leaving no dispute between the natures of formation whether written, verbal or electronic; there remains room for uncertainty.
[8] Attorney General v Observer Ltd. and Others (on appeal from Attorney General v Guardian Newspapers (No.2)) [1990] 1 AC 109, see especially pages 281 B-H and 282 A-F, per Lord Goff of Chieveley. See: Clerk and Lindsell on Torts, 19th Edition (2006), Chapter 28, paragraph 28-05
[9] Malone v Metropolitan Police Commissioner [1979] 2 WLR 700 at 716, per Sir Robert Megarry V-C and see also W v Edgell [1990] Ch. 389; and R v Crozier [1991] Crim LR 138, CA.
[10]   Schu, Reinhard “Consumer Protection and Private International Law in Internet Contracts” International Journal of Law and Information Technology (1997) 5 Int J L & IT 192. (1997)

Monday, 12 September 2011

What is a format string?

The following is a small excerpt from an article I have written for Hackin9. It is part 1 of 2 and comes out on the 22nd of Sept 2011.
 
Not all security people are programmers and consequently we need to start by defining what a format string is. Any format string is basically a set of special parameters that define how to display a variable number of arguments when sending a string of data to stdout.

Format strings are primarily known in the C family of languages are used by Perl, PHP, and even many web scripting languages to determine how the rebels will be displayed. In the C programming language, it is necessary to define variables such that they are stored as a specific data type. These include integer values (int), character values (char) in many other forms of input. In programming with C and C++ format strings are primarily utilized by the printf()[1] function family.

An example of a format string would occur if we wish to store the price of an item for sale from a catalogue. If we wish to return that value as a floating-point integer between $0 and $999.99 in value with the minimum width of three characters that always has two integer values returned after the decimal point we could do this by using the format string "3f.2f".

I pick on this book a lot, but Teach Yourself C in 21 days by SAMS, has so many good examples of how not to code that I cannot go past it. The authors particularly ignore both buffer overflow attacks as well as format string vulnerabilities. In Figure 1, we see that this book is a table of the common conversion specifiers. I recommend this book to all aspiring security professionals, it provides excellent training material for bug hunters and reverse engineers to uncover and practice exploiting.

In C code, format string vulnerabilities are devilishly simple to overlook. An example is displayed in the code snippet listed below. For the most part, the code will function correctly as long as we do not input unexpected data.
     1: strcpy(buff, argv[1]) /*Previously defined array “char buff[64]”*/
     2: printf(“\nHere we have typed our format identifier: %s\n”, buffer);
     3: printf(“Opps, we forgot to add a format identifier here”);
     4: printf(buff);

Code segment 1: Opps… we left a simple bug
 
In Code Segment 1, the vulnerability occurs at line 4. Ideally, we should have placed a conversion specifier in line 4 just as we see in line 2. Line 4 could be better written as:
     printf(“%s”, buff);
 
Forgetting those few simple characters makes all the difference.

[1] printf refers to print formatted in the printf() family of functions commonly used and taught within the C programming language family.