zonbi dot org

There has been a few posts of late with various “10 things” topics being thrown around. Most of the topics I pay attention to are of the “geek” variety even though there are many things I would consider myself, a geek not appearing in that list. But that’s a story for another day. What I am really trying to get at is my stab at the top ten “things to be thankful for in Information Security”. I haven’t seen one of these out yet so I thought I’d add my 0.02c worth..

So without any further ado.

the TOP 10 THINGS TO BE THANKFUL FOR IN INFORMATION SECURITY

(list not in order, i’m not that dumb)

nmap

Let’s be honest. We’re not supposed to tie ourselves down to one as was very well pointed out by Carlos Perez but let’s just be honest here. Nmap is the defacto standard for not just network sweeping, port scanning and banner grabbing but with the Nmap Scripting Engine there are so many more options available.

twitter

No, I’m not talking about the spate of Britney pwnage or that cat with more followers that Britney. I’m talking about getting near real time information about the latest and greatest from many sources around the globe. Just make sure your pooh filters are enabled as the signal/noise ratio is very dependent on the mood of the “Tweeple” (I loathe that word).

scripting language X

Do you think I’d be stupid enough to go down the python/lua/perl/ruby road ? But no matter what your poison, rest assured that the scripting language makes mince meat of those tedious tasks we do daily. But mostly you should all use Python because it rocks

s/vmware\ fusion/your vm_app\ of\ choice

I’ve gone the Vmware Fusion route simply because it out performs Parallels. At the end of the day it’s fantastic to be able to fire up an operating system and mess around with code/malcode/scripts knowing that if something goes horribly wrong you’re just a “Revert to Snapshot” away from being back in happy land.

scapy

Ok so I could have lumped this into “scripting language X” but that would be silly. When you need to create a custom packet or 10 (thousand) Scapy is your man (or woman). It’s easy to use and more versatile than that girl in Vegas that one time after Jeopardy…er..

rss

What better way is there to consolidate the many many news sources out there into a easy to sift through, organised chaos. “Knowledge is power (But only if you know how to acquire it).”

books

Yes, good, old school, murdering the trees books. I am sorry but I cannot for the life of me read a PDF of a 600+ page book on my PC. I have read more since starting my Information Security career than I have in my entire life. The difference between now and High School is that the topic is interesting and holds my attention more than the teacher with the low cut blouse..

the 15″ macbook pro

Ok so this is more for me personally than anything else. It seems that most of the people I know in Information Security have a shiny Apple under their arm. I’m lucky enough to have a 13″ MacBook Pro and I have to be honest and say that I can never go back to a normal PC. Just a pity about the price tag….

podcasts

Another tricky one. Yes this could have been put in with RSS feeds as a source of news but more of the podcasts I listen to are more than just a simple news feed. So Pauldotcom, ExoticLiability, Eurotrash Security, Network Security Blog, Securabit, Security Justice and DiscussIT thank you for doing what you do….

the human race

Without Joe Bloggs, Bob, Auntie Sue, Jeff from down the road or that guy that clicks on EVERYTHING, we would not have a job. No users doing dumb things (just getting through the day mostly) would mean no security holes for us tinker with..So, this last one is for you (who clicks links without checking), and you  (who writes “code” that’s secure and validated) and most of all you (who doesn’t bother to learn anything other than the blue E is for internet)

start part 1/3

#include disclaimer.h

I am by no means an expert at this sort of thing. Nor am I very good at it. This post is just about what I found today and some of the steps I took in my investigation of the problem. If you see where I have gone wrong or spot a mistake, please let me know. It’s the only way I learn.

background

Someone was doing some research on a famous designer named Dieter Rams. In particular there was a blue hair dryer that caught said someones eye. This is mostly because his search terms brought the hair dryer to the number one result in Google Image Search. So wanting to know more about the hair dryer the user clicked on the image. It went steadily downhill from there.

javascript

The image result to him to a blog post which has the photo, along with some hidden javascript in the page source which looked a little like so:

Unfortunately that little piece of the puzzle seems to be completely missing as it’s since been removed from the site. I am also a little confused as to how it got there in the first place. It wasn’t in a comment, nor was it an upload. My only thought is that it’s an existing link to a site which has since been compromised and is hosting malicious javascript…

the scan.

The first time I followed the link to the “Blue Hair Dryer of Doom” ™ I was redirected to pcmedicalbilling.com which then proceeded to tell me my machine was infected and needed to be scanned. I believe the redirection was handled by the above Javascript but without having the original source it’s hard to say. The scary thing about this is that I checked with Google and F-Secure and both said the link was good. It was only toward the end of the day that it finally got marked as malicious.

So upon loading the page you will get presented with a neat little warning claiming shenanigans afoot on your PC. I love the fact that my browser now knows when my PC is infected with malware. Great work Safari !

This will then kick off into a “scan” of your machine where it will find enough infections of various flavours to warrant you downloading something to deal with the problem.

Here you can see your machine is truly infected and in desparate need of some software assisted cleansing.

And what do you know ? They have just the application to help you out with this…

Looking at the “scan” results page you can see how easily it would dupe Joe Bloggs. It’s pretty convincing. What bothers me most about this incident is that while the search terms may have been fairly specific to the user, who’s to say that this doesn’t happen much more often. There was no dodgy links being followed, no search for pornography, just a guy trying to do research for his job…

so we have an executable

We now have an executable downloaded to our machine. I haven’t had the time to reverse engineer it yet. Mostly because I haven’t had the chance to learn reverse engineering of PE files. Yet. There was a lot more code involved here. Some very interesting javascript which was fairly obfuscated. I will be posting about this once I have had the time to sit down and analyze the code. Look out for the follow up in the next couple of days…

end of part 1/3

It’s common knowledge that I have an iPhone. I love the damn thing. Even when it bumps my monthly debit orders up to around the R1300 mark. It’s just damn awesome to be in touch 100% of the time. Who I am in touch with I don’t really know…

The following was taken from my personal phone which I backup to my local machine sans encryption. As you can see there is a scary amount of personal data that can be garnered with even the most basic knowledge of forensics. I say forensics in the loosest terms here as all I really did was play around with a few commands that I always run when I find files I know nothing about.

Before we get started, let’s imagine for a second that I am Joe Bloggs in the street with a rudementary knowledge of computers. That basically means I know how to turn it on, “use” iTunes, connect my iPhone and sync that bad boy…I know nothing about encryption save for the fact that “My bank uses it to protect me from evil hackers…”

Let’s get started.

The backups are located in ~/Library/Application Support/MobileSync/Backup/xxxx… where xxxx…is the unique identifier for your current mobile device. How this ID is made up I couldn’t say. It’s not based on the EMEI number or anything like that, although at a glance it does certainly look like a SHA1 hash of something…

Moving on. In the root directory you will see many, many files, mostly made up of the following files:

xxxx.mddata

xxxx.mdinfo

These files seems to be SHA1 hashed file names to perhaps mask the original file name, although I  can’t say for sure as I no longer have a jail broken iPhone.

There are also three plist files:

Info.plist

Manifest.plist

Status.plist

We will take a look at these files later on. But first, let’s take a look at those “mddata” and “mdinfo” files. There is just far too much “noise” coming from them to ignore.

Within my backup directory there are 957 .mddata files and 956 .mdinfo files. Purely out of habit I ran a simple “file *.mddata” and “file *.mdinfo” on the directory and lo and behold we had something interesting. Very interesting in fact….

All the .mdinfo files are in fact Apple “binary property list” files (or plist files) . These files seem to point to data files on the actual phone itself. Running the “strings” command on some of them gives some pretty interesting (although probably boring in the long run) results.

Not really a dead end, but the “.mddata” files are FAR more interesting….

Lots of different files to pick through

A quick scan with the “file” command comes up with the following file types for all the  957 samples I have in my backup directory:

ASCII text

ASCII text, with no line terminators

Apple binary property list

DOS executable (device driver)

GIF image data, version 89a, 596 x 542

HTML document text

JPEG image data, EXIF standard

JPEG image data, EXIF standard 2.21

JPEG image data, JFIF standard 1.01

JPEG image data, JFIF standard 1.01, comment

PDF document, version 1.3

PDF document, version 1.4

PNG image, 310 x 400, 8-bit/color RGBA, non-interlaced

PNG image, 320 x 460, 8-bit/color RGBA, non-interlaced

PNG image, 320 x 480, 8-bit/color RGB, non-interlaced

PNG image, 320 x 480, 8-bit/color RGBA, non-interlaced

PNG image, 480 x 320, 8-bit colormap, non-interlaced

PNG image, 805314566 x 396263525, 0-bit grayscale,

SQLite 3.x database

SQLite 3.x database, user version 3

SQLite 3.x database, user version 327686

XML  document text

data

Out of this list, the SQLite databases were probably the most fun. Most of the images in the samples were from my photos library, either the originals that I took with the iPhones’ camera, images that I had taken and added to my iPhoto database or they were the thumbnails that the iPhone or iTunes generated for display.

Databases, it’s always about the databases

Let’s take a look at the SQLite databases. There were 37 different databases on my phone. Going through each of them manually was a little tiresome but more than that a little scary.

Some of the more “entertaining” things stored in these _unencrypted_ databases include the following:

Calls (incoming, outgoing and missed)

Contact List

SMS messages

Getting the data

All of this information could be gathered using the built in sqlite3 command and either running ”.dump” or using SQL “select” statements if you wanted a more specific data set.

There is more than enough reason here to encrypt your backups. I don’t really have anything to hide in terms of state secrets or such like, but the thoughts of having personal information and messages hanging “out in the wind” like they are in these databases is a very scary though.

But wait, we have forgotten something

What about those three .plist files in amongst all those other juicy files ?

Before we go into that it’s useful to mention that 90% of the time you can simply read these files with a text editor of some sort or the more common less/most/more option on the CLI. The are simply XML formatted files with all the goodies in there for the world to see.

Info.plist

The Info.plist file contains a whole bunch of useful information about the phone including:

Device name

IMEI Number

Last Backup Date

Phone Number of the device

Serial Number

Build Version

Calendars

Contact Groups

Itunes Version

As well as a bunch of other references to what look like Base64 encoded files within the XML file.

Lots of useful information here.

Manifest.plist

The Manifest.pl file isn’t very interesting at first glance. It is again an XML file with two rather interesting looking keys, namely AuthSignature and AuthVersion. Both of which are base64 encoded files of what looks like garbage, although I am sure on closer inspection they won’t be…If anyone can find me 3 more hours in a day for me to mess around with fun stuff like this, please contact me at godiwishihadmorefreetime@gmail.com

Status.plist

The final “normal” .plist file in the backup root directory is a file called (very imaginatively) Status.plist. It contains a rather cryptic key “Backup Success“. No points for guessing what this file is about.

The Kicker

There is always one kicker isn’t there ? That one little piece of the pie that makes you go “Dammit” or “Oh hell yes” depending on which side of the fence you park your rear…

So I use 1password to store my plethora of passwords that I use for various sites, servers etc. I like it because it works very well and most of all syncs between my MacBook and my iPhone. We know how much we love to sync stuff.

So yes, naturally when I backup my iPhone to my Mac it backups up the current state of my 1password database. It does this into a very neat little SQLite database with my 1password data right there in neat little columns. Ok, so it’s not in plain site, the entries for username and password etc. are hashed, presumably with something like SHA1. I am not a cryptanalyst so at a glance I couldn’t say for certain what the algorithm is. Gun to my head I would say SHA1.

At this point I would like to point out the work being done on SHA1 collisions but I am unable to find anything decent to link to. Perhaps next time…

SO, zaCon is coming.

It’s a conference without all the fluff and hubub of commercial vendors. It’s being put on by people who live, eat, breathe and sometimes poop information security. It’s going to give people who wouldn’t usually have this platform to talk about new cool stuff they might be working on. New tools, new ideas, just about anything that’s going keeps us up at night.

There isn’t going to be any corporate sponsorship. It’s going to be very ad-hoc and probably very chaotic, but that’s a good thing. Nothing like this has happened in South Africa before (as far as I am aware).

So keep an eye on the website. The speaker list is up and running. The venue has been locked down and it’s happening.

If you have any questions, comments or general ideas, please feel free to contact people@zacon.org.za

But mostly, come along. It’s going to be alot of fun.

The days of signature based malware / trojan detection are over. We are now living in some of the most dangerous times to be using the Internet I consider if it’s even worth sticking around. Farming cats in the Karoo sounds like a far safer and less stressful job anyway. Long gone are the days when a cute character of the authors choosing would run across your screen and moon you. These days, with humanities greed, it’s all about how quickly and easily a 0-day can be transformed into a working exploit which can either be sent out in a (spear)phishing attack or hosted on some web server with Javascript doing the rest of the work. And the worst part of it all is that we are constantly playing catchup.

When new malware is introduced into the ecosystem that is the Internet at large, we rely on someone catching a specimen of this malware and either analyzing it themselves or sending it through to one of the big AV vendors who will analyze it and produce a signature which will then disseminate out to paying customers. This whole process leaves gaps which are filled by zombies and eventually botnets which plague not only home users, but big corporates. No one is safe.

Conficker, while a great example of what can be done by the community at large, is still very badly understood. No one seems to know why it’s out there and what it’s truly capable of. The media didn’t help us at all around April 1st either with all the hype that went around. I think the awful catch phrase of “Cyber Katrina” was thrown around with gay abandon. Please don’t get me wrong, I am not bashing the groups who worked on the Conficker Working Group, they did tremendous work. I am just worried that there is a fairly serious piece of malware floating around which no one seems to really know the capabilities of.

What are we going to do about this ? Switch to multi-engine scanning on our AV ? Move to a more proactive IDS/IPS setup ? How does this really help the little guy in the street ? Do you think Joe Average who just wants to download the lastest funny video from that site that needs that special codec from that other site that ends in .ru ? Oh wait…I’ve gone cross eyed. Am I the only person who is still worried that we are relying on vendors who’s principal goal is to make money for our anti-virus updates ? They’re not going to do anything rash are they ? Yes, they’re out to help us, but at what cost ?

I fear I may have too many questions and doubts with not enough answers. All I know is that there is a very, very wild west (and east) out there and suddenly, running my web browser in a Virtual Machine or Live CD doesn’t sound like such a bad idea.

Hold that thought, I’m going to fire up Vmware Fusion.