Saturday, 17 March 2012

Dynamic disequilibria and the creation of criminal opportunity

The security industry and criminal activity feeds upon itself. Crime and entrepreneurship each create opportunities for the other. In this, new innovations are created allowing both the growth of new forms of criminal activity as well as the ensuing opportunities for alert security professionals.

Markets spawn their counter. That is, criminal markets spawn new forms of counter and in turn, each of these  reactively as well as proactively introduce new opportunities. So, each security improvement creates a new form of criminal activity and the growth of new criminal groups leads to a fresh set of entrepreneurial risk and security firms that are better aligned to meet the changing challenges and problems posed by a new form for criminal action arise to fill this newly created dislocation.

Where criminal “innovation” is lax, generally due to the failure of the criminal organization to extract sufficient profit for the level of risk they are exposed to, innovation may be driven down.

Hence, increases in the risk associated with crime or the generally deficient conditions in a black market and the associated reduction in profitability lead to reduced incentives to create new forms of crime and the incumbent players (criminal groups) will entrench and act to protect their existing market share.

Any time where a set of concurrent disequilibria has come from the result of innovation, opportunities inevitably result. This is true for both the legitimate market as well as that of a black or criminal market.

In long term states of relatively low disequilibria, all societies stagnate. This is equally true of crime and in these events the condition leads to a fo9rm of entrenchment and lethargy.

However, the introduction of disequilibria comes from many sources and the introduction of innovation into markets creates a corresponding round of opportunities in associated markets including those we seek to minimize such as criminal ones.

The 1937 Crash

Social security was the start of a crash every bit as large as the 1929 stock market correction and yet it seems to be overlooked and forgotten leaving the constant set of interventions  and resulting crashes as an infrequent event that come only rarely and not with the changes in government policy that precede them.

Why do I state the interventions that preceded, well, like all other crashes, there is generally a policy of “good intention”acting to make the “world a better place” at then unseen expense (but at the cost of other people’s money).

In 1937, social security came into being. Designed to “help”and to ensure people had a safety net in case they lost their job, well the initial result was a large scale loss of jobs with a system that had nothing in it to actually fund people for many years and then a scheme where we saw a pyramid build on the notion that the population will always increase sufficiently to fund it into the future.

The start of social security in the US took a large sum out of the economy. The result was a widespread loss of jobs leading to nearly 19% of the US workforce being made unemployed. So much for a 

Roosevelt lead recovery from the great depression.

Worse, corporate profits slumped. Due to the downturn in the economy as people could no longer fund their prior expenses and stopped consumption, corporate profits where directed effected and where cut by as much as 80% of the lowered profits seen in the already limited years of the early 30’s. Industrial output slumped by over 40%.

The result, the relief lines and those seeking aid rose. In fact, these people where coming out of the proverbial woodwork. In the year following the introduction of social security, the number of people requiring help rose by 400% in city's such as Detroit.

It was another four years before the US economy started to recover form this act of good will. Yet, we continue to fail to see the cause of crashes as interventionist policy and maintain the cause as business cycles.

Maybe we would all be better off if we started to see business cycles as a consequence of uncertainty generated through political “good will”.

Friday, 16 March 2012


Of late I have been working on a series of articles/papers for Hakin9. The intention is to create a set of works that I can use together as a training and instruction set for people wanting to learn to reversing and exploit writing and deployment.

Some of these have been published and others will soon be available. For now, there are four papers online and ready to read.

  1. Beyond Automated Tools and Frameworks: the shellcode injection process  (Feb 20 2012)
  2. Starting to Write Your Own Linux Shellcode (Jan 23 2012)
  3. DPA Exploitation and GOTs with Python (Dec 21 2011)
  4. Exploiting Format Strings with Python (Oct 24 2011)

In the coming months the following articles will continue the series:

  • Understanding conditionals in shellcode (Submitted)
  • Taking control, Functions to DLL injection (in writing)
  • Extending Control, API Hooking (in planning)


But for now… planning the webinars. The next one to come is below:

Webinar: "Intro to Security in IPv6"

In this Webinar you will learn what the Internet Protocol version 6 (IPv6) is, know who has adopted it, understand the vulnerabilities causing security concerns, and learn methods used to protect networks against attacks.

Click here for more details

Intro to Security in IPv6


Intro to Security in IPv6


Join us for a Webinar on March 30



Space is limited.
Reserve your Webinar seat now at:


In this session you will learn what the Internet Protocol version 6 (IPv6) is, know who has adopted it, understand the vulnerabilities causing security concerns, and learn methods used to protect networks against hacker attacks and tools.
IPv6 Security forms the basis of the coming protection measures for the next Internet Protocol.
In this session, you will learn of the coming changes as well as where to get further Information.


Intro to Security in IPv6


Friday, March 30, 2012


12:30 PM - 1:30 PM AEDT

After registering you will receive a confirmation email containing information about joining the Webinar.

System Requirements
PC-based attendees
Required: Windows® 7, Vista, XP or 2003 Server


Macintosh®-based attendees
Required: Mac OS® X 10.5 or newer


Misconceptions surrounding copyright

Many think that when you pay a company to create something for you that you naturally own the copyright. This is not correct. Copyright requires an explicit transfer of rights.

When an author or contractor undertakes an assignment to write a report, that report does not become the sole property of the organization who commissioned it unless they have expressly stated a transfer of rights in the contract.

When a work is created by an employee, that is a separate matter.

This is always a complex issue, but the general rule for written works is that the author owns the copyright. Even where the author is a journalist under an employment arrangement for a blog, magazine or newspaper, they do not lose their rights to use their creation. In fact, the  journalist maintains the rights for selected purposes. These include use in the creation of a book or for photocopying. Here the employer maintains all other rights [s 35(4)].

What this means is that even in cases where a person was employed to create a report, they can still maintain the rights to include that material in a book that they publish. That is, they can (even as an employee for a magazine say) take their own material and publish this as a part of a book deal. Here, the original employer does maintain rights over the report, but the author has the rights to use the their creation in a derivative work.

It is significant to note that the general rule and the exceptions can be altered through agreement and by assignment [ss 35(3),97(3),98(3),179]. As a consequence, a company can commission a work where the company requires the author of the report to sign an agreement that the company owns the copyright. It is possible to assign Copyright ownership through written contract. As a result, it is unwise to make the assumption that the owner of a copyright will be either the creator of the work in question, the company who commissions a work or even the creator’s employer. Before jumping to conclusions, it is essential to check ownership and this should be checked in each particular case.

Copyright law specifically recognizes that both works and derivative works may be made by more than one party.

This is referred to as a work of joint authorship. In this instance, the copyright in such a work is jointly owned unless it is specifically contracted differently (that is the rights have been separately assigned). A work will be deemed to be jointly owned in the event that the contributions any one author made are not distinguishable.

This is different to instances where various authors contribute separate parts of a work such as in separate chapters. Here, each author is not a joint author, but each author maintains and holds the copyright created through their own input.

So, when a paper or report has been created jointly through the involvement of several individuals, they authors in committee or through whatever process now each hold copyright in the material works they have created. Each author can make derivative works using the whole or even republish a book using the material.

Thursday, 15 March 2012

What forms a loop?

The following is a small excerpt from an article I am publishing in Hakin9 next month.

All shellcode loops are composed of five (5) parts. These are:

  1. A control variable. Each loop will contain a set of variables that can be evaluated to see if the loop should continue or end.
  2. The initial value that initialises the loop has to be set for each of the control variables.
  3. The block of code that acts as the body of the loop. This is the code that is run at each iteration of the loop.
  4. The modification process. This stage changes the control variable.
  5. An end condition. Although not strictly necessary (it is possible to have an endless loop) it is generally considered necessary to have some end to the loop such that it stops and does not run eternally.

Loops are an important component of creating shellcode. They enable the author to obscure their code (through encryption and decryption routines), to add port and IP scanning functions into the shellcode, to enact denial of services attacks and to create keystroke loggers amongst other things. Although there are many forms of looping instructions, the primary ones we will address are “for loops” and “while loops”.

For Loops

We can see a simple for loop disassembled into machine code in Figure4.


Figure 1: A For Loop in action

All loops are actually functionally equivalent (Zakharov, 1999) and can be written in different ways. We define them as we do for reasons of elegance and performance, an art more than a science.

In the “For loop” the initialisation, update routine and ending conditions are specified at the start of the loop. This is the primary difference to a while loop where the ending conditions are defined at the end of the loop and the control and update routine is set within the body of the loop. There are of course many ways to represent even a simple for loop and this makes the reversing process far more complex than it may seem it should be (and hence also comes to why there are as yet no truly automated decompilers).

From this, we can quickly deduce that a stopping condition at the start of the loop would best fit a “For Loop” whilst a stopping condition located at the end of the loop best forms a “While Loop”.

In the example (Figure 4), we start by setting our variable “i” to a value of 0 and create a routine to increment this value by one on each iteration of the routine. The loop is set to end or complete when the value of “i” reaches or exceeds 100. This means that our loop will iterate 100 times.

The C/C++ code is listed to the left of the figure with the functionally equivalent assembly code listed on the right. In order to initialise our variable “i” in assembly, we have set the EAX register to contain the value 0. As this i8s a “For Loop”, the completion or ending condition is checked at the start of the loop and we have this written as a “CMP EAX, 100” assembly instruction where the conditional jump (JNL) is taken if EAX is greater than or equal to 100. Basically, we loop until the value stored in EAX equals 100.

The value in the EAX register is incremente4d by 1 each time the code block is iterated and the check routine at (2) is again engaged.


Zakharov, V. A. (1999). On the decidability of the equivalence problem for orthogonal sequential programs. Grammars, 2(3), 271-281.