Sunday, April 25, 2010

I am a narcissistic vulnerability pimp



The Verizon Business Security Blog has drawn the line in the sand of the kitty litter box they're apparently playing in, labeling those who irresponsibly disclose "information that makes things less secure" as narcissistic vulnerability pimps.
Wow.
Time to pull those iPhone wannabes from betwixt the Verizon lily whites and dial 1-866-GET-CLUE.
I love it when risk "experts" start sounding off about that of which they know nothing.
As members of the Verizon Risk Intelligence group, clearly an oxymoron, Wade Baker and Dave Kennedy must be the same guys who describe risk level in the cloud as .4.
What?
Here's a secret.
Vulnerability disclosure is, as Robert Graham says, rude at its core.
"Hey Mr. Vendor, your code sucks, fix it."
But what about when Mr. Vendor decides to blow off the security researcher who tried on numerous occasions, via numerous channels to disclose a vulnerability?
So when that security researcher goes public after vendor FAIL, he's now a narcissistic vulnerability pimp?
Is Charlie Miller a security researcher or a narcissistic vulnerability pimp?

Attrition.org (d2d) recently summed this conundrum up succinctly:
"So what is actually responsible or ethical? The lines are blurred quite a bit. The "responsible" method is also the "painful", "expensive", and often "ineffective" method that gets little resolved for exponentially more work, time and money. Is all that waste not irresponsible? What about all of the other organizations unknowingly affected by things I've found, organizations who never got a heads-up, no less a patch, because my attempts at "responsible" disclosure failed?"

No matter how you define it, disclosure drives vendors to repair code they would otherwise neglect and leave vulnerable for the real criminals to exploit.
Yes, risk may be elevated in the time period between disclosure and repair, as well as repair and patch deployment. But if researchers wait on the likes of Oracle to fix their kluges, nothing would ever get fixed.

Dan Goodin says in his writeup, "as the recent Pwn2Own contest made abundantly clear, software makers can't be counted on to secure their products, at least not on their own."
Dan clearly be styling some bling of his own.

I at Holisticinfosec.org do hereby resolve to faithfully ignore Verizon Risk Intelligence dreck forthwith.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Sunday, April 18, 2010

Moral Hazard: URL shorteners must improve malware prevention

Suffice it to say that my job duties include trying to help reduce malicious URLs being transmitted over Windows Live Messenger.
As you can likely imagine, URL shorteners (TinyURL, Bit.ly, etc.) give me conniptions.
Blocking the root domain is not feasible as the majority of URL shortener use is not malicious.
Can you say "whack-a-mole"?
Bit.ly, as an example, claims to be scanning URLs for malware, but with 40 million plus shortened URLs a day, they are definitely missing their share of malware-lade URLs.
TinyURL suffers from the same challenges; even though they have a strict Terms of Use, endless malicious URLs are shortened via TinyURL who seems to only employ a reactive prevention model (report it and they'll remove it).
Thus, topping the list of URLs being passed via Messenger on any given day is often the likes of tinyurl.com/y6v689z.
Click and a Russian free web host offers you fotos16.com, a Trojan-Downloader.Win32.Banload variant.
What's old is new again (first detected in 2006), but no less effective when coupled with simple social engineering. Simply, the Banload Trojan downloads other Trojans and aims to steal your banking credentials.
The victim receives an IM, often from a trusted contact, that evokes Facebook content: "Hey, check out my latest Facebook pics!" No shocker there, someone targeting popular Internet resources as part of their attack methodology? Groundbreaking.
But you know what? It works over and over and over again.
All day long.
Until the cows come home.
So what does our shortened URL with a social networking lure get us?
All sorts of bonus goodies.
This sample helped remind me of how much I love NetworkMiner.
Thrash my trusty Windows XP VM, capture the network traffic, and voila, we quickly learn all we need to know.
Our Banload friend got busy in the 80 seconds I let it run in my home lab environment.
14 sessions, 23 DNS queries, 11 file downloads, and three authenticated (credentials captured as they are passed in the clear) SMTP exchanges with Brazilian free mail hosts.
Gotta have somewhere to send all those stolen credentials right?



Soapbox time.
I liken the failure of URL shortening providers to better protect users from malware to a moral hazard.
A moral hazard is "the lack of any incentive to guard against a risk when you are protected against it (as by insurance)."
A strongly worded Terms of Use does not indemnify the likes of Bit.ly, TinyURL, and others.
Too many people are getting pwnzored.
Better efforts to prevent malicious abuse of URL shortening services must ensue.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Friday, April 02, 2010

Dradis: Effective Information Sharing for Pentest Teams



April's toolsmith covers Dradis.
Dradis is a self-contained web application that provides a centralized repository for information acquired during testing in order to work completed and pending.
The Dradis project lead, Daniel Martín Gómez contends (and I agree) that failure to share “information available in an effective way will result in exploitation opportunities lost and the overlapping of efforts.”
Testing teams face multiple challenges specific to information sharing, including a variety of output types from all the tools utilized.
Testers gather results in different ways.
Each team generates different reports, and so on.
Dradis is designed to address these challenges and does so effectively.
Check it out at your earliest convenience.

The article awaits your review here.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Thursday, April 01, 2010

Malware behavior analysis: studying PCAPs with Maltego local transforms

In recent months I've made regular use of Maltego during security data visualization efforts specific to investigations and analysis.
While Maltego includes numerous highly useful entities and transforms, it does not currently feature the ability to directly manipulate native PCAP files.
This is not entirely uncommon amongst other tools, particularly those specific to visualization; often such tools consume CSV files.

With thanks to Andrew MacPherson of Paterva for creating these for me upon request for recent presentations, I'm pleased to share with you Maltego local transforms that will render CSVs created from PCAP files. Simple, but extremely useful.

I'll take you step by step through the process, starting with creating CSVs from PCAPs.
For those of you already comfortable with PCAP to CSV conversion and/or using local transforms with Maltego, here are the pyCSV transforms:

GetSourceClients.py
GetDestinationClients.py

All others, read on.
Raffael Marty's AfterGlow (version 1.6 just released) includes tcpdump2csv.pl which uses tcpdump/windump to read a PCAP file and parse it into parametrized CSV output.

Windows users, assuming that Perl is installed and all files and scripts reside in the same directory, execute:
windump -vttttnnelr example.pcap | perl tcpdump2csv.pl "sip dip dport" > example.csv.

Linux users:
tcpdump -vttttnnelr example.pcap | tcpdump2csv.pl "sip dip dport" > example.csv

To integrate the pyCSV local transforms with your Maltego instance:
1. Click Tools, then Manage Transforms.
2. Click New Local Transforms.
3. Define the Display name as the name of the local transform. Example: GetSourceClients
4. Each transform must map to an entity. Do so as follows for
each transform as you create it:
getSourceClients to Phrase
getDestinationClients to IP Address
5. Click Next.
6. The Command field should point to Python binary (C:\Python25\python.exe on Windows, /usr/bin/python
on Ubuntu 9.10).
7. The Parameters field should refer only to the transform name. Example: GetSourceClients.py
8. Work Directory should be the complete path to the directory where you keep the Nmap local transform Python scripts (suggest C:\localTransforms\pyCSV for Windows users).
9. Finish, then Save.



You'll also need a copy MaltegoTransform.py in your local transforms directory (included with the Maltego python lib during installation).

During a recent Zeus bot investigation, I used GetSourceClients.py and GetDestinationClients.py as follows:

1) Convert zeus.pcap, captured during malware analysis in a virtual ennvironment,
to zeus.csv: tcpdump -vttttnnelr zeus.pcap | tcpdump2csv.pl "sip dip dport" > zeus.csv

2) Drag a Phrase entity into the Maltego workspace, and using CopyPath, pasted the full path to the zeus.csv into the Phrase entity.

3) Right-clicked the Phrase entity, chose All, then getSourceClients.



4) Right-clicked the IP entity created for my infected host, chose All, then getDestinationClients.



5) Egress traffic to a likely malicious host immediately jumped out of the Maltego workspace at me. I right-clicked (after removing the port reference in the IP entity label) and selected AllTransforms.



6) Maltego's results were swift and validated my immediate assumption. 115.100.250.105 is a malicious Chinese (omg, really?) Zeus C&C server. Nice.
Highlighting a Website entity then choosing Detail View will tell you everything you need to know.



"Size matters not. Look at me. Judge me by my size, do you? Hmm? Hmm. And well you should not. For my ally is Maltego, and a powerful ally it is."

Yoda's right. ;-)

If you have any questions or would like saved transforms, PCAPs, or binary samples, ping me at russ at holisticinfosec dot org.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)