old habits die hard

Just blogging a quick post after caming back from Root3d CON in Madrid. This year I have to congratulate speakers again. They shared another year interesting ideas and good technical hacks. I would say this CON speaks loud and clear about the global security scene and the industry around it too. Congrats guys!

Related to technical work I would like to highlight some hot topics covered in talks such as banking attacks, loading malware in Domain Name Servers (DNS), subverting domotic facilities, cracking industrial embedded devices or bouncing along IP videos and on-line weather stations across the globe.

As you see, it was all about technical moments although meeting Nico Waisman was an enjoyable moment too

Nico is VP of South America Immunity, Inc. where he is in charge of an international skilled team developing professional exploits for bugs in software.

I am happy to see how he and his colleagues in Immunity built one sustainable business model around professional bug exploitation and exploit creation. If you don’t know about them, Nico’s company is responsible of an automated exploitation system called CANVAS. It contains hundred of creative and interesting pieces of code abusing, subverting and taking control of buggy software.

This exploitation system, together with an exploit development framework, is used by penetration testers and security professionals regularly. Last time I had a look in this software (years ago!) it had only one exploit pack (one kind of add-on which consists of more modules targeting unpatched vulnerabilities). Now, their exploitation system include several professional extensions offering specialized exploits in 0-day, SCADA, VOIP, IBM Database, webservers, OSX, mobile phone OS, etc.

Watching CANVAS in action you guess as any computer user is able to run automated and massive attacks easily, and how this kind of tools become offensive weapons truly.

Original studies, techniques and research in this exploitation field were really interesting and productive at the end of the 90′s. Nico and I talked about this stuff changing the things really and how this community effort improved overall OS security.

Along those years it supposed technical modifications with focus on IT security but it supposed a shift in the mind of a lot of system administrators and persons in charge of securing and hardening IT assets.

One decade later offensive IT security tools are available. Some of them are professional tools and services while another kind of tooling is sold in underground markets too. Anyway, two things become true.

• In absence of conflict we have a global, profitable and consolidated security industry feeded by 0-days continuous.
• In presence of conflict we have a potential and global battlefield where some people talk about real cyberwarfare as a politically motivated hacking to conduct sabotage and espionage among parties.

It is meaningful reading as The Economist describe cyberspace as the “the fifth domain of warfare” or William J. Lynn states that “as a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain in warfare … [which] has become just as critical to military operations as land, sea, air, and space”.

I guess knowing about automatic and easy-to-use offensive tools change the perspective a lot.

This past weekend I ended my lessons on our Master Software Libre.

If you follow this blog you will know I usually write down the topics I teach along these lessons. It is always good thing getting feedback and getting in touch with persons reading these lines.

By the way, this year our Master runs its fifth edition. I am proud to watch how it is working and how old and new students, teachers, collaborators, community advisors and all our friends build this knowledge community daily.

Having a broad look I am able to find plenty of technologies, hacking, know-how and a lot of relevant stuff each year.

Although teaching people is always a huge responsibility, I like to start my lessons remembering IT security is a hot topic and, in essence, this domain talks about sensible and dangerous topics; so prudence and good sense are always the right way to follow here.

OK … so nowadays, what am I teaching in those lessons really? what am I covering under the topics of Physical Security, Cryptography, Networking and Security Networking? and, at the end, on what kind of practical laboratories and exercises are we working?

Well, bearing in mind I think IT security is a very complexed topic where different social, economic and technological forces converge I compiled all security stuff covered in this V edition. In summary, some of the syllabus’s drivers were the following:

On Physical Security:

• Physical system security methodologies
• Environmental design
• Design and evaluation of physical protection systems

On Cryptography:

• Cryptographic models
• Cryptographic systems
• Free/open software tooling
• Integration and usual cases

On Networking:

• Foundations
• User and Kernel stack implementation
• Administration and tooling
• Typical configurations and trouble shooting

On Security Networking:

• Network attacks and defense
• Good practices, blueprints and security methodology
• Network device security
• Network architectures
• Integrity and availability
• Exploitation and responsible disclosure
• Underground markets
• Vulnerability management
• Risk analysis and defense models
• Advanced and strategic defense in organizations

Aligned with these points, I ran some new live-demos and attacks too.

Apart of the usual attacks showing design flaws, networking protocol weaknesses, practical communication hijacking or break-in techniques; we studied real networks following one ethical and legal approach. It was useful to identify their strengths and weaknesses while suggesting possible solutions and alternatives.

Finally, together with the design and model of their own embassy by students, we jumped to Linux kernel land to study (line by line in source code) as a real Linux kernel rootkit works under the hood; hiding network connections, users, files and so on.

I would like to think this new 5th promotion have now a better insight and perception of the real risk and magnitude of the battlefield out there … I think so

Happy hacking!

Great time at Master Software Libre teaching Physical Security and Cryptography contents this year. Two key areas at Information Security and Privacy.

These lessons were the first ones happening before my usual lessons on Networking, Security Networking and Linux Kernel.

On Physical Security time we worked on well-know physical system security methodologies, together with two new relevant topics: environmental design and design and evaluation of physical protection systems.

It was a lesson covering broad and detailed topics; ranging from designing defensible spaces, where you are able to use different elements and aspects to get natural social control and crime prevention, till a full description of technology and sensor availability to protect different facilities. Security standards or some notes to understand social behaviour (The Bronx study case) were worked out too.

On Cryptography, we walked along its history and development in order to understand cryptographic models and current crytographic systems, free/open software tooling, integration and usual use cases. At the end, everybody got their crypto stuff in place, ready to take part in keysigning parties and next social community events.

Ah! I almost forgot. This year, students will elaborate on the right design to build a safe and secure physical protection system for one embassy.

Happy to know about my two new sm7xx driver patches related to power management (PM) and framebuffer mode setting support were upstream in Linux kernel.

First patch adds the new PCI PM in order to let the PCI core code handling the PCI-specific details of power translations. It was tested in kernel version 2.6.38, including standby and hibernation support. I would like to thank to Wu Zhangjin. He was kind enough to run this testing.

Second patch implements dynamic framebuffer mode setting support. Previous code works with mode setting in a hard code way. It was tested with SM712 supporting 1024x600x16 as default hardware resolution.

Enjoy the patches!

Several months ago I faced an interesting project around eInk technology. Basically, it had several clear goals about porting GNOME technologies in order to get a better stack that the hardware manufacturer’s. You know … better development tools, better testbed and finally … better user experience

With this project I played with a Hanlin v5 device as a test gadget. If you check original specs about the product you will realize this gadget runs a Samsung Arm 9 400MHz processor with SDRAM 32MB and main display eInk Vizplex (5″ diagonal, 800×600 and 8 level grayscale) so … what about getting some proof of concept to check possibilities!

Next step was about getting Xserver running on top this device in order to check booting time, latencies, integration time and so on.

Bearing in mind OpenInkPot is a free and open-source Linux distribution for eBook and this device is not supported I decided port KDrive. To achieve this one, I developed custom keyboard and display drivers to adapt KDrive on top existing software from scratch. This way, I finished with a static Xserver running fine.

Xeyes on Hanlin v5 from Igalia on Vimeo.

You can download the previous 40 secs video recorded on real-time (thanks Adrian for editing!) if you would like to have a look about the different booting times and how Xeyes boots on top Xserver in the blink of an eye

Root3d CON is gone. March 3th, 4th and 5th were hot days in Madrid where CON took place in Castellana Street … funny watching a lot of grey hats walking along the street where major banks and financial companies are located …

Regarding this second edition live hacking sessions became an usual practice with a lot of members of the community showing their black and white skills in short periods of time.

Far from commercial slots where some well known companies showed their products, services and so on some concrete talks attracted my attention:

• Cloud Malware Distribution: DNS will be your friend. Interesting talk about how attackers can abuse DNS in order to distribute malware, bypassing our perimeter and/or getting one covert channel using a legitimate (and needed) service.
• La asimetría en el mercado de la seguridad. Talk based on information asymmetry and how it impacts on security industry. No new relevant information but it was a good thing finding this kind of talks in Root3d.
• Lost in translation: WTF is happening inside my Android phone. This talk covered interesting techniques and tools to monitor and debug malware. Security in Android platform is a pending task. Infecting Android market with malware is a fact and viruses targetting droids are infecting millions of phones.
• radare2: from forensincs to bindiffing. I didn’t know this tool. Loving interactive disassemblers, diferential analysis and similar stuff I guess I should have a look inside
• Hardware security: Side Channel Attacks. No new thing here but watching power physical attacks against smartcards is always captivating.
• A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications. Maybe the best staging. Demo hijacking one iPhone and impersonating a telecomunications operator to show a practical attack against GPRS, EDGE, UMTS and HSPA (2G/3G) mobile data communications. Watched in BlackHat this year too.
• WCE Internals. Tribute to Windows, a classic Demo showing how authentication and Windows logon can be defeated. Locating, decyphering, extracting and replacing NTLM session credentials hosted in memory.

By the way, I have to say coordination and organization was great. Good work guys!

This weekend I taught the second part of Security Networking at Master on Free Software. After studying networking foundations, enjoying some practical labs and going on Linux networking stack in depth we finished with practical attacks and defenses as usual.

By the way, I coincided with MSWL students and several students of previous editions at Brussels attending to FOSDEM too. Drinking some beers and chatting about free and open technology was nice. This shot catched some students while sharing their keys at the FOSDEM’s keysigning event

FOSDEM, the Free and Open Source Developers’ European Meeting, is the biggest free and non-commercial event organized by and for the community taking place in Brussels for the last 11 years.

Maybe you wonder about numbers related this event … I only can say they are really impressive. You may think about 5000 visitors enjoying for two days of keynotes, speeches and lightning talks covering many FOSS projects. It is a demanding but really gratifying event!

This year I came back to Brussels in order to track some old projects and having a look in emergent and innovative ideas. FOSDEM is always a good place to take the community’s pulse and this year was not an exception.

Having the opportunity to attend, I dropped by several rooms targeting different stuff and I think I must mention it, it is a constant, I always get the same feeling with the BSD community: a simple, powerful and “business independent” community. It is always a pleasure attending this kind of rooms where BSD topics are discussed and evolved.

Other main topic in FOSDEM was BBDD replication in production environments and how it got mainstream in different projects. New Oracle strategy and how it impacted old Sun’s assets fluttered around

NoSQL movement had also a very important presence there with several reference implementations deployed in well-known software giants such as Google or Amazon. It is becoming a key piece in distributed and scalable systems.

Java’s future was hot topic too. Inside and outside of official rooms.

At the end, I enjoyed several interesting talks regarding the Linux Kernel. Jonathan Corbet delighted us with a really honest talk about the current challenges and how community should face them to avoid unwanted past events in the Linux Kernel.

As usual, I suppose videos and material will be available soon at fosdem.org

Checking my previous assumption I realized about this video called “fosdem 2k11 – A film about FOSDEM, the Free and Open Source Developers’ European Meeting“.

Cisco volunteers’ work was great too. Network and uplink worked like a charm.

They are here … we will start our distributed cross-compiling experiments based on ARM soon!

Lately I read some notes on Stuxnet and, although I have authentic passion for viral technology and self-replicant code, I must admit this worm doesn’t look like innovative code at all.

I think all of us knew about SCADA systems are not secure systems. In this context, Stuxnet looks like the proof of concept introducing this topic publicly and fueling the information security industry again.

While having a look in some technical reports by third-parties anybody can check this piece of code is a common Windows computer worm exploiting well known attack vectors.

So why this huge mess around it? I guess the thing here is not about technical stuff. As I said, it looks a very common and non defiant worm although some actors reported that experts studying Stuxnet considered that the complexity this code indicates that only a nation state would have the capabilities to produce it. huhh!! well, you know how the media is

In my opinion, and from a business perspective, Stuxnet may become a turning point for customers and enterprises ahead of antivirus companies.

In a traditional model, we have victims (e.g. antivirus company’s customers) and defenders (e.g. antivirus industry) where attackers (e.g. malware writers) are the bad guys.

With this kind of model the antivirus industry, for example, offers a simple scale business model where everybody is a customer and antivirus industry protect them from attackers and malware with limited responsibilities. This model is accepted due to everybody is under “non-critical” attacks.

With Stuxnet-style attacks this model changes radically. Specific attacks change economic foundations for this kind of business. It is not needed shipping specific signatures to everybody for example, some kind of specific hardware could not be available adding extra costs in analysis, etc.

Think about the relevant points in this worm: payload and its victims.

Payload is designed to spy on and reprogram industrial systems. Traditionally, this kind of systems are in charge of nuclear plants, hospitals and so on. Although they sound as really specialized operations they are performed from applications running on COTS software and commodity hardware.

You realize it is easy to break in critical services/products using well know and tested attack vectors while the impact become huge (if it is successful of course).

As you are thinking, it has a huge business impact in Siemens and its reputation developing this kind of systems.

In the future, maybe Siemens (and similar companies) should take in consideration driving/developing its own security strategy instead of just acquiring it when making business in critical sectors.

Update 2010/10/02 – some references

The New York Times: Is Stuxnet the ‘Best’ Malware Ever?

The New York Times: A Silent Attack, but Not a Subtle One

CNN Tech: Stuxnet: Malware more complex, targeted and dangerous than ever

ESET white paper: Stuxnet Under the Microscope

Siemens support about Stuxnet