Hardening Windows 2003 platforms made easy

Years ago, attacking Windows 95 or 98 boxes was not that easy.
Few network services to target, few complex networking applications to pull about. Instead of exploiting those, attackers considered as the best way to reach their victims was creating new engaging points. So Trojan horses like Sub-Seven started spreading on Windows, arriving mainly by e-mail and chat file exchanges.

Since that time a lot of things changed: the firewall "culture" reached the masses, new and improved security tools were developed, modern Windows operating systems got a huge amount of network services, every application became network oriented, people's security awareness increased.
Now, with Trojan horses no more effective, attackers needed to find a new way to reach targets.

Fortunately for malicious users, Windows 2000 and XP offer a large number of services ready to receive malicious input and provide unauthorized access. Not to mention the thousands of applications, from news aggregators to P2P clients and MMORPG games, where one could use to send malformed network traffic in order to gain remote computer control.

The days of Trojan horses are not over yet but the large majority of attacks are now based on exploiting application vulnerabilities. Why? Have developers started producing more insecure applications? No, quite the opposite.
The attackers focused on them, plainly exposing what has always been there - crucial development errors.

Development errors are here and will most certainly always exist. They are the product of a typical human brain behavior: taking things for granted.
Developers sometimes don't check applications inputs, assuming users will provide data in the correct form, and malformed inputs crash their applications, and in some cases give access to the underlying system with full permissions.
These validation input errors are quite probable in modern networked applications. The more complex the application, the easier it will be to forget something.

Even if today's vendors apply secure development frameworks to reduce errors, we'll likely have to handle validation input errors for many years to come and possibly forever.


How hardening can help
The best way to mitigate the inherent application insecurity is to harden our systems, hoping endpoint security methods will soon offer something more defenses.

Hardening means reducing the amount of services listening on the system, the amount of installed applications and the way applications handle inputs. In other terms hardening means reducing the attack surface area.
Typically hardening is something applied to Operating Systems but it should be considered an approach valuable with any back-end server and desktop application as well.

Today we have hardening guidelines written by well-known security experts and organizations (like NIST), and have partially automated hardening tools, covering several aspects of an OS.
Microsoft released its official tool for hardening within the Windows Server 2003 Service Pack 1: Security Configuration Wizard (SCW) that addresses a lot of problems.
Other OSes have their semiautomated hardening tools like JASS for Sun Solaris or Bastille for Red Hat Linux distributions.


Hardening can be a risky business
Hardening practices exist since a lot of years but are hard to apply.

Before stopping a service or modifying a registry key, people should have a deep knowledge of the system. And even in that case, a hardening set of modifications could break an installed application, requiring infrequent access to what you disabled.

A hardened configuration could work for a system doing a specific task and not for another. Every platform needs its hardening tuning which is time-consuming and error-prone.
Just consider that even when hardening two identical systems you can always miss something. And if the platform role or base of installed application changes, you'll need to review the hardening procedure and adjust it accordingly.
It's a hard security life-cycle to achieve, even on a small server farm.

The bottom line is that hardening a system can invalidate vendor support for an installed product because it essentially changes the supported environment.


Exploring the SCW
SCW lets you approach hardening in two ways: per-role or custom.

Hardening with a per-role approach means you just explain the wizard what servers and applications your operating system is going to run.
For example, you can choose to declare the SQL Server 2000 role and the ISA Server 2004 role, but also to declare the system will act as a DNS client. Depending on which roles you selected the wizard will submit you a hardened configuration where unneeded services are stopped and registry keys are disabled.
This is the best way to start with for a hardening novice.

Hardening with a custom approach means you details every single setting modification of your system. The resulting configuration will be a hybrid-role model tailored for a specific environment.
This is the expert way to work with the SCW and should be adopted carefully.

Services and registry keys aren't the only settings SCW can modify. You'll be asked to choose how to setup Local Policies, IPSec filters, Windows Firewall ingress filters and IIS web extensions (if you are going to harden a web server).
The whole amount of things you can control is impressive and will require a lot of time and testing before reaching optimal configurations.

SCW explains every setting and therefore enables the user to make the correct choice and becomes a sort of a learning too.

SCW also offers a rollback feature, able to revert your system to its pre-hardening state. This feature is a must-have since troubleshooting a problematic service or application after a hardening can be highly complex.
When something you disabled or removed prevents the proper starting of a depended service, it's not always reported on the Windows event log, or if reported, it's not always declared in a clearly. Starting back from a working environment can save a lot of time and availability problems, otherwise the rollback feature always summarizes how the previous state was configured, so you could eventually invoke it just to check and find where the problems could lay.

One of the best parts of SCW is its configuration file. When you finish producing your hardening template it's saved as an XML file. This permits you to deploy it on every single machine in your server farm equipped with SCW, without restarting the template creation process, avoiding mistyping errors and saving lot of time.
The whole procedure is done just typing a single command:

scwcmd.exe configure /p:my_policy.xml
If you work in an Active Directory environment you can assign the XML configuration file to a Group Policy and deliver hardening to all servers within an Organizational Unit (OU) at once.

SCW is distributed as free tool but it won't work on anything but Windows Server 2003 SP1 platforms. A bad decision from Microsoft that hopefully will change its mind for the next version.


Best practices
Even if SCW greatly simplifies the hardening procedure, many things can go wrong.
Before hardening a system be sure to study and check service dependencies and applications needs. Custom applications are particularly important to verify.

In Active Directory environments, a hardening configuration applied to apparently similar servers can produce different results and eventually cause services down-time (for example because similar servers weren't installed in unattended ways).
So, if you want to deploy the SCW template to a whole OU, you better define a subset of hardening modifications, commons to every OU member and then apply specific hardening settings to every single server. Do a lot of testing in a lab environment with cloned productions servers before deploying SCW templates.

Remember to document every choice and update documentation on changes.
Finally plan a periodical review of hardening templates to adapt them with new knowledge and new needs.


Conclusion
SCW is a great step forward in securing Windows platforms. It does the large part of the job, offers you a basic documentation of what you're modifying and addresses some distribution problems you'll have when dealing with multiple servers.
It requires a good knowledge of Windows behavior and a fair amount of testing before deploying in production. I'd still consider it a tool for experts.


This article originally appeared on (IN)SECURE Magazine #5.

Security job at Google

Google is looking for a Security Operations Manager in headquarters, at Mountain View:

Google is looking for a visionary and effective person to lead the team responsible for our first line of network defense. This individual must be innovative, creative and flexible; capable of working in a constantly moving environment with energy and enthusiasm. If creating technology to find attackers on anarchic networks excites you, this is the place to be!

Applicants must have experience managing medium-sized teams and a proven track record of technical excellence. We are looking specifically for leaders to revolutionize the way Google (and potentially the world) looks at information security. This job requires hands on work with both software developers and operations engineers...

Among requirements appears experience on IDS and log management systems.

Probably Google is the best place where to develop a real intelligent and useful Security Event Manager (SEM).


Update: There are many more jobs at Google available as Information, Network and Systems (both Unix and Windows) Security Engineer.

Myth of secure password is ended

Once upon a time we used to work with brute-forcing password cracking tools like L0phtCrack (developed by @stake and terminated by Symantec), John the Ripper (it's just out the 1.7 version after 7 years of hibernation) or Cain & Abel (from italian Massimiliano Montoro).
At that time to develop a secure password was enough a string longer than 7 characters with at least one character from all 4 alphanumeric groups.

Then arrived the Rainbow Table method and everything changed.
A Rainbow Table is nothing but a pre-compute array of all possible arrangements of all alphanumeric characters, in a format used by Windows LanMan and NTLM hashing algorithms (but also appliable to MD5 and SHA1).

The cracking tool just search in the pre-computed table the string you'll pass it, giving the clear-text password within seconds (less than 1 most of time).

To start the game you just need a dumping tool, like the new PWdump6, run it on your victim machine and grab all users hashes.
You also need the tables, but this is simple as well: Rainbow Tables can be generated by anyone with a standard computer, enough disk space and some patience (depending on your CPU power it can take days or weeks).

Easy? It can be even easier...
Someone has been kind enough to pre-compute Rainbow Tables for you and sell you DVDs for a small price. Within a couple of days you can be on business.

Easier? It can be even more...
The Shmoo Group is distributing a 44GB-tableset through torrents. You just have to free enough space and start downloading them. Or, if you really need to do the dirty work, and want to dedicate a whole HD to Rainbow Tables, you can download a huge 120GB-tableset (complete charset, 7 characters maximum) pre-computed by Hak5.

A lot easier? It can be much more...
Someone has been so kind to provide you his Rainbow Tables to be queried online. You just have to upload your hash and within seconds the crack is done.

Much more easy? You won't believe how easy it could really be...
Creator of Rainbow Table method, Philippe Oechslin, and of the best Rainbow Table cracking tool, Ophcrack, released a Linux liveCD distribution which boots on any Windows computer, mounts existing NTFS partitions, finds the local SAM file containing users passwords, dumps hashes and provides all clear-text passwords within minutes.


It comes with a small Rainbow Table able to crack passwords without any special character, but it's enough to proof how it works: I booted a computer with Ophcrack LiveCD 1.0 and it took 5 seconds to find my seeming complex password s3cur1tyz3r0 from the User account.

With a complete Rainbow Table embedded (something concrete as soon as HD DVD and Blu-Ray drivers and disks will start to spread) I could crack any password out there.

Map of the North America Internet

Not strictly related to security but interesting enough to mention.

Ben Worthen exposed a map of North America's ISP routers realized by him and the Lumeta chief scientist, Bill Cheswick, updated at 8th March 2006:

This map depicts the shortes outgoing routes from a test computer at Lumeta headquarters in Somerset, NJ, to each of over 320,000 registered or announced nets on the Internet. Each end node can represent a handful of computers on a small network, or perhaps a large company with hundreds of thousands of hosts. Each intermediate node is a router.

This map shows only the shortest path to each destination, not every path that we discover. The full map has about 20% more links, and comes out as a colorful blob of ink.

This map is colored to show the corporate ownership of the center of the Internet.

Read the whole article at source.


There are several more Internet mapping projects around but I didn't find one as recent as this one.

Simplify management of the Check Point VPN-1 object database

If you work in a wide infrastructure and adopted Check Point VPN-1 you know populating and maintaining your object database can be an overwhelming task.

To help Check Point released since the NG version a new SmartClient, called SmartMap, integrated with the SmartDashboard.


This tool is able to automatically map all objects available in the object database and export them in some formats. It seems useless for many customers and students but it is not: the SmartMap is able to export all objects in a Microsoft Visio drawing. Once in Visio you can push imported objects inside an ODBC database or inside a Microsoft enteprise management tool like Operation Manager (MOM).

SmartMap, which isn't free of charge, is great for database synchronization from VPN-1 to elsewhere but what about the opposite? How to populate Check Point VPN-1 from external sources?

Martin Hoz created a great tool to do so called Object Filler able to achieved the task in a brillant way:

• Is able to automatically create hosts, networks, address ranges and other type of objects, giving couple of IP addresses and a netmask.
  Object Filler will calculate for you which IP address corresponds with a valid object (i.e. will just use network addresses to create networks, ignoring broadcasts)



• Is able to import objects information to the SmartCenter, given the configuration information from Cisco Routers (ACLs), as well as from Cisco PIX, Juniper NetScreen, Symantec Raptor, SecureComputing's SideWinder and Gauntlet firewalls.
  In some cases it also supports converting firewall rules



• If there is a list of objects with their corresponding properties (IP address, netmask, color, NAT properties, etc.) in some known format.
  Object Filler is able to import them into the SmartCenter, easing the task of populating it

At the same time Martin developed the opposite tool called Object Dumper exporting objects from VPN-1 database in CSV format.

Both tools supports Check Point VPN-1 on Windows, Linux and SecurePlatform up to NGX [R60] and are free of charge.

How to submit malicious software samples to Microsoft

Microsoft is informing all Most Valuable Professionals (MVPs) for security technologies about new, streamlined process to receive malware samples from whole community.

Everybody in the world can submit new code in the wild at these addresses:

• avsubmit@submit.microsoft.com (for virus/worm/trojan/rootkit and everything else)


• windefend@submit.microsoft.com (for spyware)

Please submit codes in .zip or .rar format and if possible use the label "False Positive" or "False Negative" in the subject line.

All previous existing email addresses are deprecated.

Client-side web hacking with Greasemonkey

One of the most interesting Firefox extension ever is Greasemonkey.

It injects on client-side (your machine) any DHTML code of your choice to transform any website your are visiting.

It can be used to do nice things like change sites usability (for example enlarging fonts and so on), but in web hacking it gives you the most.
For example it has been largely used in circumventing limitations of web network sharing tools like RapidShare.

Here a screencast just to see what the tool can do.

Now the Greasemonkey creator is offering a whole book online, for free: Dive into Greasemonkey.

BS7799-3 is out: Guidelines for Information Security Risk Management

The BS7799 security guide has one of the most complex evolution of the story.

The original British Standard 7799 was a collection of recommendations for information security developed in 1995 by the UK Government's Department of Trade and Industry (DTI).
Divided into 10 sections, it has been used by several companies to develop security policies and procedures, until it became the standard ISO17799:2000 with the name of Information Technology - Code of practice for information security management.

In 1999 a second part was written, the BS7799-2, to further detail how to create an Information Security Management System (ISMS).
This second addendum became an ISO too, the ISO27001:2005, with the name of Information Security Management System - Specification with guidance for use.

Now BS7799-3 has been published with the title Guidelines for Information Security Risk Management, contemplating just an aspect of the whole ISMS described in the ISO27001:2005.

In fact it covers:

• Risk assessment


• Risk treatment


• Management decision making


• Risk re-assessment


• Monitoring and reviewing of risk profile


• Information security risk in the context of corporate governance


• Compliance with other risk based standards and regulations

One day this last BS7799-3 could be ratified as standard, acquiring the new label ISO27005 (which is now reserved, just in case).

It costs $125 and it's available for download here.

Google vs US aka the fake battle for privacy

I resisted till today commenting this story, which could soon become another security saga to cover like the Microsoft WMF saga. Now I cannot resist anymore and need to write down.

Quite everybody on the IT planet knows actual US government asked all major search engines (AOL, Google, Microsoft, Yahoo) to provide billion of indexed URLs and user search queries for further analysis.
While AOL, Microsoft and Yahoo immediately accepted, Google refused to and, after months, today proudly announces it (partially) won.

Let's put aside US government motivations (which I refuse to comment) and the fact requested queries should be submitted without originating IP address (putting users privacy at risk only if a sensible information has been typed as query term).

I have 3 problems with this story. 3 big questions urging an answer:

1. What if Google lost? Or if it will lost in appeal? I mean apart appealing as much as possible, maybe for years. Would they move all datacenters outside US?


2. Why Google refused to give indexed URLs and users queries while AOL, Microsoft and Yahoo immediately did?


3. And most of all: Why Google accepted to provide 50,000 indexed URLs and refused to give away billions? Where is the difference?

By the way: If US government really want to conduct a study on Internet pornography there was no need to ask seach engines.
Lost Souls, which is there since years, can immediately provide as much related queries as every data mining specialist could ever desire.

Introducing power analysis attacks

Talking about RFID (in)security I mentioned a very interesting research based on power analysis attack.

Power analysis is a way to do reverse engineering on a cryptosystem without touching the algorithm.
Since a working computer is consuming energy depending on its task in a proportional way, is safe to assume any variation on power consumption can be related to a specific activity.
And, as the paper states, with sensible enough sensors is even possible decoy every single bit operation made just passively monitoring power usage.

Note that power analysis can be used to attack any kind of device, not only RFID tags.

If you are interested on this very fashinating topic some papers are mandatory:

• Power analysis tutorial


• Differential power analysis


• Power analysis on smartcard algorithms using simulation


• High-level power analysis for on-chip networks

Real-world crime embracing information technology

It's not just something related to software piracy. It's something much more extended silently spreading on the Net since few years.
Read-world crime is adopting information technology tools to gain new (and much higher) profits than traditional, real-world activities.

It started with the establishment of a black market where to trade 0day exploits for new attacks and commercial software source codes for industry espionage and 0day exploits creation.

It continued with the use of denial of services attacks to disrupt online activies of worldwide popular sites (like gambling ones).

It's evolving now in the use of worms to encrypt companies documents and ask for ransom.
(news I'm referring to, bounced by all security sites, is something already covered, 1 year ago by Bruce Schneier)

It will go further when we'll live in a completely digital world, with electronic IDs, RFID tags, biometrics, etc.
Also, I would consider electronic drugs (to be used with neural readers or direct injection in a not so far future) a real possibility.

At a point, maybe no longer than 50 years from now, computer crimes could give so much more benefits and profits to completely dismantle today's activities, in a scenario we already saw in sci-fi movies.

RFID (in)security

After talking about how to destry passive RFID tags and how to sniff RFID traffic, here we are again with more hacking tools/techniques for the revolution-to-come technology.

First of all I recommend reading this nice research paper describing how a software virus can infect a RFID architecture, spreading from tag to tag.
Since a RFID system is made by a reader getting some input from tags and passing them to the middleware and the database, it's always possible to program a tag with malicious input (in the same way we remotely exploit web applications today) to foul the RFID middleware and modifiy the backend database. Then new tags can receive malicious informations (as a result of tag scanning) by compromised middleware, spreading the wanted effect at fast pace.

Despite a large press coverage (including myself) there is nothing very special in this paper: it applies traditional hacking techniques (buffer overrun, SQL injection, etc.) to usual targets (middlewares, databases), just with a new vector. But it's anyway a good paper cause it succedes in applying hacking to every-day information technology applications, where large amount of people can understand threats and risks.


Then I suggest further exploring RFID hacking looking at these works:

• Power Analysis of RFID Tags
  Adi Shamir easily cracks kill passwords for Gen 1 EPC tags



• ProxCard Cloner / ProxCard Mark II
  Jonathan Westhues' Proximity card cloning device



• RFIDAnalysis.org
  Research team cracks the Texas-Instruments DST transponder



• Dutch RFID e-passport cracked
  Riscure cracks security on Dutch prototype e-Passport

Encrypting VoIP calls

Philip Zimmermann, creator of worldwide known PGP, launched Zfone, a VoIP proxy able to encrypt VoIP calls.

Apart obvious encryption benefits this tool has 3 big features:

• it acts as a proxy, encrypting incoming and outcoming VoIP calls, granting software interoperability


• it's SIP compliant, granting networks interoperability


• it lets pass VoIP calls unencrypted when the other peer is not protected by Zfone

Actually in beta, it's available for MacOS and Linux. Windows version is expected for mid-April.

It's not clear if the product will be free of charge or not but the new protocol used, ZRTP, has been submitted as standard, so expect open source clones soon.


Update: Blue Box has released a podcast with Philip Zimmermann about Zfone. Hear it here.

Fighting SPAM with reputation verification

CypherTrust released on Monday an interesting tool for free: TrustedSource Toolbar.

It's a plug-in for Microsoft Outlook and IBM Lotus Notes checking incoming email against a database of trustable sources.
It has simple indicators providing istantaneous informations, when available, if the sender is trustable or not. And you can improve the database anytime rating your received email as SPAM, phishing or good emails.

This approach is similar to the one taken by SiteAdvisor I covered last month.

While I find this an interesting method to fight malicious emails I see 2 problems:

1. every time you receive an email CypherTrust is informed about sender and this is a form of tracking



2. a malicious use of this tool could be done to push a non-malicious source as malicious
   CypherTrust reports that every report is stored for later review but I would assess the whole process to believe it

Firewalls ready-to-go with VMware virtual machines

Virtualization crosses security once again (in this blog it happens often), this time about firewalling.

As you probably know VMware released a free product for desktop virtualization called VMware Player and created a special site called Community Virtual Appliances (formerly Community Virtual Machines) where vendors from different market segments and communities can advertise their pre-installed virtuali machines.

A pre-installed virtual machine ready to be downloaded and launched on every computer where a VMware Player is installed, provides a huge boost for almost any company, able to reach a wider audience without limits imposed by complex installations.

Security applications are usually very complex to be installer and/or configured, so finding a bunch of pre-made firewall virtual machines is a great evaluation opportunity for security professionals and customers.

The first commercial vendor embracing this solution is Check Point, which provided a ready-to-go SecurePlatform NGX [R60] virtual appliance.
But beside it you'll find several other firewalls:

• IPCop


• m0n0wall


• pfSense


• Smoothwall

Social bookmarking as a virus vector

Have you ever used modern social bookmarking tools like Digg or de.licio.us?

They work in a simple and beautiful way: one user find online an interesting article, put a link in his preferred social bookmarking tool, other users find the article in the what's new queue, follow the provided link to read it, and if it's good they rate it high.
A high rated article also obtains a high rank and it's placed in the service home page, where it gains maximum exposure and a lot more visits.

At today there are more than 20 services like this and are absolutely popular. An interesting article can climb up to the home page and being seen by hundreds of thousands of visitors in matter of minutes, sometimes of seconds. And in fact the immediate effect is a temporary, undesired denial of service against the hosting server.

All this process is unmoderated (and I believe this is the reason why it works so good). Or better: it's not real-time moderated.
In some social bookmarking tools if the user find the submitted link harmful or SPAM can report it to the service administrators, which will possibly remove it. But with serveral hundreds of new articles posted and voted every minute it's an overwhelming job. So, as far as I experimented, sometimes the unwanted site takes hours to be removed or more.

Now let's consider the opportunity of a new web browser vulnerability. It usually spread through worms but what if a malicious user chooses a very attractive title and description pointing to a malicious server exploing the browser vulnerability?

The social bookmarking tool could become a booster for worm spreading, hitting a desired part of the world before others simply choosing the right publishing moment (time zones have a fundamental role on article submissions).

In the same fashion already compromised machines could post again, with random attractive tiles, on several new social bookmarking services (this part is harded cause there are in place CAPTHA mechanims to prevent spamming), creating waves of infections and covering the whole Internet in a fraction of time a worm would take to do the same.

How could a social bookmarking service protect against this?


Update: Just one day after I wrote this article here someone proofing what I imagined, with harmless content fortunately.

Apple MacOS X hardening guide

A lot of rumor has been generated by the news an Apple MacOS X can be hacked within 30 minutes.

Apart any technical detail, as I stated serveral times, one thing is always true: every time a platform or a product hits mainstream the growing amount of users brings bug hunters and unexperienced users (which are the best bug hunter ever), so that discovered vulnerabilities grow in a proportional way.

Since the adoption of Intel x86 architecture, Apple is facing a massive spread of its operating system, and it's inevitable security, beside design, will become a major issue for Steve Jobs.

Last summer an hardening guide for MacOS X 10.4 was released by Corsair and this seems a good moment to take it back from bookshelf.

Microsoft ISA Server 2004 training for free

Microsoft has created a dedicated site to ISA Server 2004 to permit exploration of some features: ISA Server 2004 Interactive Training.

The whole training lasts in about 1 hour, is pretty basic and interactivity is simulated by Flash animation (not a real remote virtual machine), but if you never saw ISA Server 2004 is worth a visit.
At least until ISA Server 2006 is out.

Rootkits powered by virtualization

I cannot count anymore times I said virtualization is the best help for security tasks. Being deeply involved in both IT fields I cannot avoid to use virtualization for services isolation, disaster recovery, forensic analysis, honeypotting and more.
But I never reflected virtualization can be manipulated by malware gaining huge benefits.

On my blog about virtualization, virtualization.info, I posted the news about a fascinating Microsoft Research work, demonstrating how a rootkit reaching a victim OS can install a so-called Virtual Machine Monitor (VMM) in stealth mode.

The eWeek article is a bit confused since it seems to say the rookit is used to put the original operating system in a VM. Since I find this quite hard to realize, I find more likely a scenario where the rootkit will upload and launch new virtual machines running malware jobs like hosting a phishing website or a controlling a botnet assault. Using the victim OS as an unintentional host OS.

Hiding virtual machines file on hard disk is a trivial problem, already addressed by modern rootkits.
And hiding virtual machine network activity would be simple to achieve, binding a virtual network device on the victim's physical network card, NATting everything behind.

But, as far as I see, in this scenario a virtualization rootkit would have at least 2 problems hiding traces:

• Trasferring from a remote attacker site a whole virtual machine
  At today there are fully working liveOS under 50MB and possibly calling in action a microkernel OS like QNX this size could be much more lowered, but still it has to be trasferred over the network without being noticed.



• Covering large consumption of memory of a running virtual machine
  Even if the rootkit has no problems hiding running processes, a whole 64/128/256 MB Ram occupied by the hostile VM will not pass unnoticed, at least in a form of OS performance degrade

In any case it's a real brillant implementation which could lead to much more powerful rootkits.
For example just think about current limitations of running needed Linux attack tools on a Windows compromised machine: thanks to virtualization a small Windows rootkit could upload and secretely run a Linux virtual machine with tools otherwise not available.


Update: I was able to find the research paper and found that Microsoft Research managed the opposite of what I thought. the virtualization rootkit moves the victim operating system inside a virtual machine.

This scenario is even more complex of ones described by me above: to be successful in this task the rootkit needs to compromise the computer boot sequence and, at first reboot, load the original operating system in a virtual machines (like today we do mapping in a VM a raw partition).

Problems in this approach are huge:

• Finding space for malicious host operating system
  if the rootkit puts the victim OS in a VM mapping its raw partition, it has to find enough free space from that partition where to install the host OS (the research suggest the rootkit to disable victim OS swap file and use that space).



• Hiding new virtualized hardware
  Maybe the most complex task: when the original operating system is put in the virtual machine it has to interact with new, virtualized hardware, which is different from the physical one and will trigger a driver installation process. Even if this operation can be hidden completely some things will not work in the usual way: consider for example a gaming desktop calling for enhanced 3D operations in his last-generation display card.
  It's not impossible to do but at today even VMware has serious troubles to provide an advanced set of virtualized hardware. I have difficulties believing this can be achieved by a rootkit developer without years of research.



• Hiding highly degraded performances
  In my reversed scenario on the first part of this post I considered that a stealth VM would degrade victim OS performances using part of its memory.
  In this case it's even worst since the rootkit host OS is consuming memory as well but also every computation and I/O operation is slowed down by virtualization overhead.



• Hiding at boot time
  The rootkit has to hide itself at boot time until the host OS is loaded, the VMM is initialized and the victim OS starts to boot.

Finally I would underline that if malicious services are then run in another virtual machine (as the research paper suggests) instead of rootkit host OS, we'll have performances problems described in both scenarios, with a possible exhaustion of all computer resources.


In conclusion I would say that while very fascinating the original research approach is less realistic and too resources and know-how demanding for today.
I would see much simpler to implement my first, wrong understanding of the whole thing.

Also the original research approach is much more prone to immediate discovery, not only for neat performance degradation: the victim OS user can easily probe the supposed physical hardware and identify to be in a virtual machine (at today this is done with few lines of script and it works with every virtualization platform).


Update: As many underlined (included Beng-Hong Lim from VMware R&D) the whole thing would be even harder to achieve if a Virtual Machine Monitor is already installed in the target OS, since nested virtualization is usually prevented by softwares.

Microsoft enhancing its threat modeling tool

Microsoft just released beta 2 of its Threat Analysis & Modeling Tool 2.0.

Threat modeling is an analysis process aimed to identify characteristics of an application and potential threats they are exposed to.

Compared with the original tool I have to say this new version is impressive.

A wizard will help you defining all application aspects, from users to services, from data to components, from business objectives to relevancies, at a very deep level of detail:


An invaluable Data Access Control Matrix will map for you users and services access to listed data.

At the end of the whole process, after detailing application use cases, you'll receive an automated generation of threats to confidentiality, integrity and availability.
These threats will map a large amount of predefined attacks, from buffer overflow to caninicalization, from SQL injection to Man-In-The-Middle.
And every attack shows a list of aspects improving chances to have a specific attack and provides a library of operations to mitigate them.

I strongly recommend the evaluation of this tool to architects and developers out there.

And meanwhile someone try to define a common framework for threat modeling, I just would have something similar for network security...

Download it for free here.

Sony wardriving Portable

No, I'm not going to mention another nice tool for Windows/Linux PDAs.

This time the preferred platform for wardriving is my Sony Playstation Portable (PSP).


Since the I bought it I found spare time to play but thanks to the WiFiSniffer homebrew application I have a good excuses.

Here what I'm scanning at the Leonardo da Vinci airport, Rome, Italy, while waiting for boarding at Gate A01:


collecting after just 30 seconds, 8 clear wireless connections and 1 WEP encrypted.

At today this tool cannot crack WEP keys by design, but I'm pretty sure that if the original author won't do it for ethical reasons others will have no scruples.

By the way similar application is circulating for Nintendo DS since few weeks.

Are next generation consoles, featuring wifi/bluetooth/ethernet connections, to become stealth killer assessment platforms?

BlackHat Europe 2006 interesting sessions

BlackHat Europe 2006 took place on 1-2 March in Amsterdam, NL, and presentations are now available for download.

Among others I found some particularly interesting:

• Silver Needle in the Skype



• IBM iSeries For Penetration Testers: Bypass Restrictions and Take Over Server
  As I said before iSeries are widely spread (a lot in Italy) but in fact there is no security applied from customers, cause systems are considered too complex or too unlikely to be attacked. Wrong.
  After reading this presentation you should really check the recent IBM Redbook about iSeries security I posted in November 2005.



• WLSI - Windows Local Shellcode Injection
  A very interesting technique to circumvent limitation of Windows local exploitation (different return address, operating system version, service pack, language, ecc.).
  I bet this will be immediately integrated in penetration testing frameworks like Metasploit.



• Anomaly detection through system call argument analysis
  Italy leads the research in the intrusion detection field and Stefano Zanero, from Politecnico di Milano, introduces unsupervised learning concept in host IDS.
  In simple words any program can be considered a sequence of system calls and can be profiled by autonomous learning systems, tracking anomalies in softwares behavior over time.
  This work could be integrated in Core Security Force community IPS (which I'm going to review soon).



• MPLS and VPLS Security

Symantec discontinued L0phtCrack

Symantec, or better Symantec of Borg as I prefer to call it since a while, has achieved another great step in its acquisition/consolidation/integration strategy: has discontinued the glorious L0phtCrack tool, after acquiring @Stake in 2004.

It's true today we have the Rainbow Table method to achive faster password cracking but I hardly believe @Stake team has nothing new to say on this security field.

Expect several more end-of-life announcements from this company...

Skype insecurities

On BlackHat Europe 2006 Philippe Biondi and Fabrice Desclaux presentated a fascinating (and very complex) reverse engineering analysis of Skype.

Trying to block the UDP traffic Skype generates they provided an IPTables command that can be modified to produce an IDS signature:

iptables -l FORWARD -p udp -m lenght --lenght 39 -m u32 --u32 '27&0x8f=7' --u32 '31=0x527x4833' -j DROP
They also achieved to manipulate Skype traffic to oblige a client to send packet to any destination.
Skype actually reports more than 50 millions unique usernames and SkypeStats reports concurrent activity peaks at 5.5 millions users in this moment.
This means a new worm exploiting this design flaw could create the biggest bot network ever.

Final considerations are really important:

• Hard to enforce a security policy with Skype


• Jams traffic, can't be distinguished from data exfiltration


• Incompatible with traffic monitoring and IDS


• Impossible to protect from attacks (which would be obfuscated)


• Total blackbox


• Fully trusts anyone who speaks Skype

Consider this report when you'll work with VoIP assessment toolbox I posted on the previous post.

VoIP security assessment toolbox

As I wrote several times VoIP is going to be one of the hottest new place where security will explode, in parallel with endpoint security and digital rights management.

Security professionals need to be ready for the massive hacking SIP and other proprietary protocols are going to face. And as always the best way to do so is knowing your technology limits before others.

To help on this hard task on the VoIP Security mailing list yesterday appeared an invaluable list of tools for VoiP security assessment:


SIP packet Creation & Malformed & Fuzzing & Flooding & Spoofing

• SiVus


• SIPsak


• PROTOS SIP Suite


• SIP Forum Test Framework (SFTF)


• SIP bomber


• SIPp


• Nastysip

Manual (pretty GUI) SIP Packet Generators

• SIPNess


• NetDude

Python and SIP

• Scapy

Sniffing

• Ethereal


• Cain & Abel


• VOMIT


• Oreka


• VoiPong

Various Scripts & Tools

• Send-SIP-Fun


• Skora.net


• kphone-ddos


• Sip-Scan


• Sip-Kill


• Sip-Redirect


• RTP Proxy


• IPQ Rules

SIP Listener

• Sipomatic

SIP over IPv6

• SIPv6 Analyzer

Microsoft offering free online security courses on SQL Server 2005

Microsoft Learning is now offering 9 6-hours online courses about the new SQL Server 2005. And its pricing them free instead of $99.

Among them there are a couple about security you should check:

• Course 2936 - Installing and Securing Microsoft SQL Server 2005
  This course will provide you with a technically deep learning experience on installing and securing Microsoft SQL Server 2005.
  The course provides detailed reference content and in-depth practical and hands-on activities for database administrators with Microsoft SQL Server 2005.



• Course 2938 - Data Availability Features in Microsoft SQL Server 2005
  This course is ideal for architects, systems engineers, systems administrators, solution developers, or application developers installing and securing Microsoft SQL Server 2005.
  The course will cover the planning/design phase of technology adoption, and the implementation issues specific to the build, deployment, and management phases.

Once registered courses are available for 90 days.

Whitepaper: Mobile WiMAX Technical Overview and Performance Evaluation

The WiMAX Forum just published a technical whitepaper describing Mobile WiMAX protocol features and capabilities.

The table of contents is made by:

• Chapter 1 - Introduction


• Chapter 2 - Physical Layer Description


• Chapter 3 - MAC Layer Description


• Chapter 4 - Advanced Features of Mobile WiMAX


• Chapter 5 - Mobile WiMAX System Performance Evaluation


• Chapter 6 - End-to-End WiMAX Architecture


• Chapter 7 - Other Considerations


• Chapter 8 - Conclusion

Since the WiMAX covers a whole city range, with milions of wireless clients (thinks about home desktops and notebooks, business backup Internet lines, personal PDAs, tablet PCs, portable gaming consoles, mobile phones, internet-powered cars and even modern house's furnishings), expect an immediate, massive committment on hacking this protocol, much wider than any Wi-Fi/Bluetooth hacking exploitation.

This document is a fundamental starting point.