May 10, 2010

The metamorphosis of the RaDaJo Security Blog: Taddong's Security Blog

With the establishment of our new company, Taddong, we have started a new blog: Taddong's Security Blog. This blog replaces the RaDaJo Security Blog effective immediately, therefore, this will be our last post here. RaDaJo will not disappear, so that its contents remain accessible, but it will be frozen; no new content will be added to it in the future. After almost four years of publishing entries on this blog and sharing different security topics and opinions with you, we have to say... ¡hasta la vista!

New technical articles, tools, and additional security research are going to be published in the new blog, together with Raul's security book reviews. We take this opportunity to announce the existence of Raul Siles Book Preferences, a list that will (at least temporarily) keep the old RaDaJo name as the bequest of the original blog, where the security book reviews started to be published.

If you want to stay with us in this new journey, as a new Taddong blog reader and follower, do not forget to subscribe to the new blog by using the syndication buttons available on its sidebar. We will be glad to have you with us!

RAul, DAvid & JOrge

March 30, 2010

Security Book Review: Mobile Malware Attacks and Defense

Mobile Malware Attacks and Defense
Author: Ken Dunham et. al.
Editorial: Syngress
Publication date: November 14, 2008
ISBN-10: 1597492981
ISBN-13: 978-1597492980


Summary: An historical reference of mobile malware and threats, plus a technical introduction to its analysis and in-depth inspection.

Score: 4/5

Review:
Security threats on mobile platforms are one of the key topics and
main targets for the next couple of years, given the ubiquity and popularity of these devices, plus their advanced capabilities and use of sensitive application: micro payments, online banking and e-commerce, access to "the cloud", etc.

This book is one of the few references, if not the only one (till very recently), focused on the multiple security aspects of the mobile ecosystem. As such, it constitutes a great historical reference about what mobile malware (referred as MM) and threats were until its publication, in late 2008.

The book starts by introducing mobile malware, although it can be a bit confusing for the novice reader, as it mixes up attacks, tools and threats (most them Bluetooth based), and for example, WiFi is not even mentioned (yet). The next chapter (ch 2) provides an interesting overview on how mobile malware shows up in a terminal from a user perspective, including the most common behaviors and the kind of interaction expected from the user. It would be great to have a detailed explanation of the propagation method, as with CommWarrior, for all the samples analyzed in this chapter.

The next three chapters (ch 3-5) are a really valuable historical reference about mobile malware, including its timeline, how it has evolved since 2000 till 2008, the types of threats, categorized by malware families, the most significant or famous specimens, such as Cabir in the Bluetooth side, plus an extensive taxonomy of mobile malware and threats based on the infection strategy, distribution and payload. Although some tables, with more than 400 references, could have been moved to an appendix to facilitate the reading, this set of chapters summarizes how mobile malware seriously started, back in 2004, and evolved over time. The comparison of different pieces of malware, and the extra analysis of the most relevant specimens, together with the technical details they used to survive, makes this section of the book a very good "encyclopedia".

Then, the book reflects the influence of multiple authors, presenting different unconnected and independent chapters. The phishing, SMSishing and Vishing chapter moves out of the mobile space, covering lots of details about these threats on traditional environments, such as common web browser based solutions, and the usage and purpose of the network captures attached is still not clear to me. I still remember my surprise from a technical perspective when I read that the transmitted data between the client and the verification server could not be identified, as they were using an SSL connection: "What about using a HTTP(S) interception proxy?" Finally, it includes an extensive phishing academic research mainly based on Bayesian networks and a distributed framework, which on my opinion, is clearly out of the scope of the book.

The more technical chapters come next; chapter 7 focuses on the core elements for the most widely used mobile platforms, their protection mechanisms and how they have been bypassed in the past, covering mainly Windows Mobile (WM), iPhone, Symbian, BlackBerry and J2ME (Java). It includes a extremely short summary on prevention and exploitation. This is complemented by the techniques, methods and tools available for the analysis of mobile malware (ch 8), the in-depth details for the disassembly and debugging of associated binaries (ch 10), plus the strategy and main constraints to perform a forensic analysis on this type of devices (chapters 8 and 9). This is by far the most relevant technical portion of the book.


The book follows the old and useful Syngress layout tradition of adding a few common sections at the end of each chapter to reinforce the material covered: Summary, Solutions Fast Track, and FAQ.

The first portion of the book (ch 1-5) will be an eye opener for a non-technical audience; highly recommended, together with the last chapter (ch 11) focused on the defensive side and how to mitigate all the threats covered along the book. The second portion for the book (ch 7-10) is focused on security professionals, mainly incident handlers and forensic analyst that need to deal with the technical aspects of mobile attacks and infections.

Due to the new mobile threats and issues that turned up in 2009 for the advanced smartphone platforms (like iPhone or Android), and the trend for new and more dangerous specimens expected in 2010, a second volume or edition would be a must.

UPDATE: Amazon review (first one).

Labels: , ,

March 27, 2010

Security Book Review: The IDA PRO Book

The IDA PRO Book
Author: Chris Eagle
Editorial: No Starch Press
Publication date: August 12, 2008
ISBN-10: 1593271786
ISBN-13: 978-1593271787


Summary: Do you really want to master the art of disassembly? Start here!

Score: 5/5

Review:
Honestly, when picking up a book that is focused on a single tool, as in this case, my main concerns are: how linked (and limited) the content is
to the tool and its capabilities, if the book can become obsolete soon with new versions of the tool, and what else the material offers to the specific field out of the tool.

In this case, it is fair to say that IDA Pro (http://www.hex-rays.com/idapro/) is the most popular disassembly tool (and debugger now) in the market during the last decade, so covering it is like going deeper into the field of malware analysis, software reverse engineer and
vulnerability research. Beginners can start playing with the evaluation version, while professionals have been using the Pro version for a long time.

Apart from that, the moment I realize Chris Eagle was the book author, it added some excitement to the mix. I know Chris when we released the Scan of the Month 32 challenge on the Honeynet Project (http://old.honeynet.org/scans/scan32/), back in 2004. The challenge was focused on analyzing a home-made malware binary, called RaDa, and Chris was the winner (http://old.honeynet.org/scans/scan32/sols/1-Chris_Eagle/); he even developed an IDA Pro script to unpack the binary and solve it.

Therefore, the book title does not make any justice to its contents :), as this is not only The IDA PRO Book or the unofficial guide, but the modern software disassembly
(static binary analysis) masterpiece and The IDA Pro Bible.

The first two chapters are a must for anyone starting in the world of reversing and disassembly. Something I really liked about the introductory chapters is how the author establishes the relationships between the different functionality available in IDA, and other (more traditional) single tools offering similar capabilities.

Then, the book goes in depth into IDA, getting started, covering the interactive interface and navigation capabilities, including the well-known and the most hidden features, explaining how to manage data types, structures and projects, the beauty of cross-references and graphs, and how to extend and customize IDA for extra advanced analysis (libraries, IDC scripts, plugins, modules, etc). It offers the advance readers the required skills and tools to move their analysis activities to the next level.

Every chapter is preceded by a great introduction explaining what is it about, and when and why this chapter is important for the analyst. Chapters do not simply move over the different menus and capabilities of IDA Pro, but describe them within a context based on the author experience after years of binary analysis, going in depth into the essence and goal of a given feature, the way to use it and the common drawbacks. Chris also uses his experience to highlight what is the most typical finding and tool output in various scenarios and why.

The book ends up with a few chapters that challenge the reader to put in action the skills learned throughout the book into real-world applications. Finally, it covers the new debugging capabilities (dynamic binary analysis) available since IDA version 4.5. For those starting in the field, appendix A points out the differences between the free and the commercial IDA version, and how these may influence your interest on specific book chapters.

The book is highly recommended to both beginners and intermediate/advanced users and professionals, and definitely it is a dense (like the tool it covers) but very easy to read book that becomes a reference in your bookshelves the minute it reaches your hands. Besides that, its contents won't easily become obsolete with new IDA Pro version. It is not a book to read in a couple of nights; this is the kind of "practical" book that I strongly recommend to read with a computer and a running copy of IDA handy, so that you can test all the tips and tricks and practice the topics being discussed.

UPDATE: Amazon review.

Labels: , ,

December 13, 2009

Assessing and Exploiting Web Applications with the open-source Samurai Web Testing Framework

This week, December 10, I participated in the first OWASP international conference cellebrated in Spain, and specifically, in Iberia. IBWAS'09, the Iberic Web Application Security Conference, by the Spanish and Portuguese OWASP chapters, promoted the need of (web) application security controls and I predict it will be the conference of reference in upcoming years in the region. It was interesting to start by listening to Bruce Schneier talking about the present and future of the information security industry.

As an active member of the Samurai-WTF project, my presentation described Samurai-WTF main purpose plus its recent additions, available from the official SVN repository. I ended up with a hacking demo to demonstrate the power of integrating multiple attack tools in a single platform for web-app pen-testing exercises:

The Samurai Web Testing Framework (WTF) is an open-source LiveCD focused on web application security testing. It includes an extensive collection of pre-installed and pre-configured top penetration testing and security analysis tools, becoming the perfect environment for assessing and exploiting web applications. The tools categorization guides the analyst through the web-app penetration testing methodology, from reconnaissance, to mapping, discovery and exploitation.
This talk describes the actively developed Samurai WTF distribution, its tool set, including the recently created Samurai WTF Firefox add-ons collection (to convert the browser in the ultimate pentesting tool), the advanced features provided by the integration of multiple attack tools, plus the new tool update capabilities.

If you are interested on the project, start by checking the "Assessing and Exploiting Web Applications with the open-source Samurai Web Testing Framework" presentation, and join the project in sourceforge.net (and the mailing list).

Become a Samurai!

Labels: ,

December 12, 2009

Hacking Challenges: Have Fun Improving Your Skills!

Last week, December 3, I was presenting an @Night event during the SANS London 2009 conference, focused on hacking challenges and how they can be used to improve your skills and knowledge while having fun:

Hacking and security challenges are a great and effective training tool. They provide a platform to improve everyone's skills by forcing all candidates to devise an offensive or defensive tactic, apply different techniques, and squeeze the available tools to succeed. The acquired knowledge can be later on applied to real-world ventures.

This interactive session will guide the audience through some scenarios associated to penetration testing and hacking challenges published over 2009. Apply your technical skills and knowledge to solve these challenges while having fun!


The interactive session was very fun and people actively participated, and performed really well, to solve a compact version of the "Prison Break" challenge in one hour. This has been the first event where we have announced the birth of a new security company, called Taddong, focused on advanced security services. More details about it in the upcoming weeks...


The presentation is available here: "Hacking Challenges: Have Fun Improving Your Skills!".

During the session, on purpose, the last portion of the challenge remained unsolved, that is... what is the input required to generate the Scylla validation code (you already know it is a hash)?

6189db841f01413a05a53b7135137a17

For those attending the session in London, I recommend you to open the presentation, review the challenge details, and try to figure out how to generate the code without using Google ;), and before reading the official solution.

Have fun! Taddong is coming...

Labels: ,

November 02, 2009

Security Book Review: Chained Exploits

Chained Exploits: Advanced Hacking Attacks from Start to Finish
Author: A. Whitaker, K. Evans, J. B. Voth
Editorial: Addison-Wesley Professional
Publication date: March 9, 2009
ISBN-10: 032149881X
ISBN-13: 978-0321498816



Summary: A multi-scenario hacking adventure novel focused on combined real-world attacks.

Score: 5/5

Review:
The penetration testing (and criminal) field has focused during the last years on increasing the foothold on compromised systems, proving advanced pivoting and post-exploitation techniques that might help to expand the compromise to other systems or critical resources. This book is a novel that describes these reality by telling hacking stories where multiple
techniques, tools and vulnerable input vectors are exploited in order to accomplish a variety of clearly defined attacks and goals.

Each chapter is a well structured story describing multiple attack scenarios. From credit card theft, to insider threat, going through corporate espionage focused on stealing confidential intellectual property, the launch of a DoS attack in a key point in time, the risk and exploitation of inter-corporation network connections, physical access to healthcare records, up to social networking and wireless break-ins.


The book is a modern fictional narrative with technical touches, covering attacks from start-to-finish in elaborated stories (my score evaluates the book from this perspective). However, by reading the book description, you might expect a deeply technical book that will teach you how to perform those attacks, and... it is not.

Every attack story is introduced by setting the stage and the overall attacker approach. Besides that, it is surrounded by a few final defensive tidbits and conclusions, describing
countermeasures to mitigate the various attacks covered. This book may act as an excellent eye opener for managers and top level positions (see recommended audience below) in order to understand how small security investments and tweaks can definitely help to increase the overall protection of a target environment substantially.

Unfortunately, from a technical perspective, some of the technical details have not been thoroughly reviewed, such as the output of nmap (order of ports), the unexplained switching of target systems from Vista to XP, the targeting of RDP while not on the port scan (chapter 4) , or the coverage of some tools. Some attacks are a bit outdated, such as the silent winpcap installation to capture traffic from a target box. However, I must admit this book inspired some of the components of a recent "Prison Break" hacking challenge I released this summer (2009).

Specific portions of the book and, overall, the story plot, is well written from a novel perspective, and as
particular attacks are progressing, it made me feel the common excitement we get when we are involved in a real penetration test and successfully progressing through the targets, getting the adrenalin going.

This book is highly recommended for people entering in the security field, and for experienced technical security pros in two ways. On the one hand, it's an enjoyable and entertaining novel for a weekend or vacation period. On the other hand, it is a very good reference to give to managers and CxO positions so that they can get a feeling of how real-world attacks look like nowadays and the kind of targeted threats they may face.

UPDATE: Amazon review.

Labels: ,

Security Book Review: VMware vSphere and Virtual Infrastructure Security - Securing the Virtual Environment

"VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment"
Author: Edward L. Haletky
Editorial: Prentice Hall PTR
Publication date: July 2, 2009
ISBN-10: 0137158009
ISBN-13: 978-0137158003



Summary: The reference for securing virtual environments, in particular, VMware-based.

Score: 5/5

Review:
I
n the first half of this year (2009), I was involved on extending my previous research on virtualization security, and specifically, I focused on securing and hardening VMware ESX environments. This stirred up my interest on this book. To sum up what this book is all about: "I would have loved to have this book handy back by that time, as it would have saved me tons of time" Instead, I had to read and compare multiple VMware security guides from VMware, CIS, NIST, etc, and perform an extensive hands-on research on my own.

The book offers a very solid and broad analysis of multiple security issues on virtual environments, covering not only the technical aspects associated to the virtualization hosts, virtual machines, and virtual data and storage networks, but also management and operational issues, availability concerns, and other common related tasks on newly deployed, or already established, virtualization setups.

The first two chapters focus on security threats and attacks, a basic foundation required for the cross-references available throughout the book, that can be skipped by the on-the-field security readers.

The next three chapters focus on offering best practices and security recommendations for different key components of any virtualization platform, such as the hypervisor, the storage network, and virtual clusters. The next couple of chapters cover most of the security aspects that must be considered on the design, deployment and operation of a virtual environment.

Although all these chapters provide a very good quality security advice, it is not complemented with hands-on examples. I think this could be improved by adding more detailed sections describing step-by-step how to complete the security recommendations exposed, not just what need to be done. However, I understand it is required to cut the size of the book at some point. A good example of how to extend this idea can be observed on chapter 6, where the integration between VMWare ESX and a directory service is covered in depth.

However, both the technical and operational aspects are integrated smoothly, offering a great in-depth overview. Apart from that, the whole recommended list of things to consider in order to get a more secure virtualization infrastructure is summarized in a useful set of boxes called "Security Notes" and spread all throughout the book. These boxes can be easily used as a checklist when deploying or assessing the security of virtual solutions.

My favourite chapters are chapter 8, and specially 9, where virtual machine and virtual networking security is analyzed, respectively. Chapter 9 offers a whole set of networking scenarios and discusses pros and cons to the number of (physical and virtual) network cards and its configuration. A
very practical and thorough work!

The book ends up with three special chapters. Chapter 10 covers the new VMware virtual desktop infrastructure (VDI) and the security issues around it. Due to all the client-based attacks nowadays, most probably it is going to be a de-facto standard pretty soon, so getting involved on the virtualization of client systems is a must. Chapter 11 provides a detailed guide to harden VMware ESX and ESXi hosts, a mandatory initial process for every new virtual deployment. Finally, chapter 12 provides a quick and interesting introduction to digital forensics (and data recovery) on virtual enviroments, mainly focused on how to deal with virtual file systems, such as VMFS, VMDKs, and raw disks. A quick recommended read for forensic analysts interested on expanding their skills to virtual victims.

There are a few things I feel will improve the book contents. Unfortunately, due to the publication deadline, its coverage of the latest VMware vSphere virtual architecture is pretty limited, as the author clarifies. Besides that, considering the frequent security updates and patches released by virtualization vendors, I would have liked to find a better coverage of best practices to update the virtual infrastructure itself. Finally, as mentioned previously, about half of the book includes detailed how-to sections describing how to apply the recommended settings, but the other half misses that how-to portion. I understand this may be a limitation to make the book size manageable (it's over 500 pages now).

This book is highly recommended for IT and security architects, involved in the design of new virtual solutions, as well as virtualization administrators and anyone in charge of the maintenance of a virtual infrastructure. From a security perspective, people evaluating, assessing, and suggesting improvements for virtual solutions should read the book in order to have a full overview of all the security threats and possible countermeasures. Overall, the book is a must read for anyone already involved, or planning to get involved, in virtualization. It really helps to acquire a very broad and extensive knowledge of the security considerations that apply to such a complex and modern IT architectures.

UPDATE: Slashdot review, Amazon review.

Labels: ,

October 19, 2009

Samurai Web Testing Framework (WTF) Firefox Add-ons Collection

On June 2009 Mozilla released the add-ons collections feature on their add-ons web site. As a member and contributor to the SamuraiWTF project, I would like to announce the release of the SamuraiWTF Firefox add-ons collection!

The Samurai Web Testing Framework (WTF) is a LiveCD focused on web application testing. It contains a pre-installed collection of the top web application penetration testing tools, becoming the perfect environment for testing applications.

The goal of this Firefox collection is to include the best add-ons for web application penetration testing and offensive security analysis, to convert your browser in the ultimate pen-testing tool. It is aligned with the Samurai Web Testing Framework (WTK) LiveCD distribution. I plan to keep the collection updated with new web-app pen-testing add-ons, but I would like to carefully evaluate new additions (or replacements) so that the list doesn't grow to limits where it becomes unmanageable. It includes 19 add-ons at this time.

As of today, it seems it is not possible to install all add-ons from a collection with a single click. The current SamuraiWTF add-ons collection can be installed on the latest Firefox version, v3.5, with the exception of the "Add N Edit Cookies" add-on. Although this add-on works in Firefox 3.5.*, it cannot be directly installed. There is a quick hack you can apply to install it on Firefox 3.5 until the official version is updated by its developer:
  • Go to the "Add N Edit Cookies" add-on webpage with a compatible old Firefox version, or with a different browser like Internet Explorer, and download the add-on (XPI file).
  • Change the XPI extension on the file to ZIP.
  • Extract the "install.rdf" file from the ZIP archive.
  • Edit the "install.rdf" file and replace the following line (maximum version):
  •         <em:maxversion>3.0.*</em:maxversion>
  • by:
  •         <em:maxversion>3.5.*</em:maxversion>
  • Put (drag & drop) the new "install.rdf" file back into the ZIP archive, and it will automatically replace the old version of the file.
  • Change back the ZIP extension on the file to XPI.
  • At this point, you can install the recently modified XPI add-on in Firefox 3.5.
Once you install all the add-ons within the SamuraiWTF collection, one by one, the look and feel of your Firefox browser will notably change. I recommend you to hide the add-ons toolbars visible by default. You can individually enable them at any time, such as when you are going to use each specific add-on:
  • Go to the "View" menu and select "Toolbars".
  • Deselect "Access Me Toolbar", "Web Developer Toolbar", and (specially) "HackBar".
Finally, the "DOM Inspector" add-on has been added to the collection as it is a requirement to enable all the capabilities of the "Web Developer" add-on.

Please, take a look at the collection, feel free to share your thoughts/comments (send me an e-mail), vote for this collection if you find it useful, and enjoy it!

Labels:

October 12, 2009

Prison Break - Breaking, Entering & Decoding - Challenge Answers & Winners

The answers and winners for the EH-net "Prison Break (Breaking, Entering & Decoding)" challenge (August 2009) have been published today.

The answers for this challenge were released in scoop to The Informer subscribers a few days ago. In Johnny Long words, "The Informer is a fund raising effort run by Hackers For Charity. It is designed to give subscribers a "backstage pass" to the world of Information Security. For $54 per year, subscribers get early, exclusive access to all sorts of goodies donated by the top names in the INFOSEC world. The industry's most recognized names will post blog entries here before they even post them to their own sites." The EH-Net contribution will be the answers to the Skillz H@ck1ng Challenges a few days before they are revealed on EH-Net.

It is an honor for me to drive this initiative, with the support of Don Donzal (EH-Net) and Ed Skoudis (Challenge Master), and start posting the official answers of this challenge on The Informer.

The “Prison Break – Breaking, Entering & Decoding” challenge winners have been announced on EH-net, and the answers are contained in a single PDF file (27 pages) plus three associated screencasts:
Thanks to everybody for participating on the challenge, and to Ed and Don for the opportunity. I hope you enjoyed working on it as much as I enjoyed designing and writing it!

Labels: ,

October 09, 2009

Sqlninja & Metasploit Demo

Last week I run the "Web App Pen-Testing" SANS webcast to provide a sneak preview of the SEC542 "Web Penetration Testing and Ethical Hacking" course I will be teaching in London later this year. At the end of the webcast I run a Sqlninja & Metasploit demo over the Hacme Bank vulnerable site using the recently released sqlninja patch.

This post includes a screencast of that demo (15:40 minutes):



You can access the archived version of the full SEC542 webcast from the SANS portal. Hope to see some of you, RaDaJo readers, in London!

Labels: