Saturday, October 14, 2017

Kaspersky, Evil or Not

Kaspersky, Russian Agent or just Russian?

With all the mess that seems to be raging about the validity of Kaspersky AV products, I thought I would pen (yet) another opinion piece.  

Latest news around the tube is that Israel hackers had broken into Kaspersky's infrastructure and found evidence of Russian government actors inside looking for information that could be used for geopolitical interests.

First, a couple of things...  AV software, being generally seen as a necessary evil, is installed on practically ALL system (well if not, it probably should).  Why is this?  Simple, due to the ubiquity of malware with all sorts of purposes, it is a significant threat.  Most (if not all) cyber attacks either start with, end with, or are comprised entirely of malware.  AV is so universal due to that threat.

If you are a home user, that is pretty much where the threat model ends.  So what do you do?  You go and install the best protections you can afford and effectively work with.  Kaspersky has show in many tests to be highly capable in this regards.  It has been shown to have very high coverage, extremely low false positives, low system impact, and fast new signature releases (http://chart.av-comparatives.org/chart1.php)  

I personally suggest Kaspersky for this standard use-case.  Why?  Simple, it works.  Is it for everyone?  Of course not.  Why?  Well just read on!  :)

Now how about for other use cases?  If you are a business?  Well again, depends on the threat model you are protecting against.  Standard business with a very small amount of intellectual property?  Probably similar to a home user.  If you have LOTS of very sensitive intellectual property, then different decisions may need to be made.  Does this mean no Kaspersky?  Well if you are a Russian company, I would hazard a guess you are probably not as worried.  If you are a US company, maybe.

This brings us to another point...  Russian government actors inside of Kaspersky.  Does any one else remember when the US government was intercepting Cisco shipments to other countries to install backdoors?  (https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/)  If anyone tries to make believe that other countries do not do similar things given the opportunity, there are lots more examples to be shown.  AV companies are all of high interest to hackers.  AV is everywhere, and has access to everything.  As an occasional pentester, AV is my FAVORITE target.  Nothing like turning a protection around on itself.

So this brings us back to, "what do I do?"  Well my main suggestion is to consider what you have of value that would be enticing to steal?  If you have lots, then perhaps using a reputable AV company with offices and infrastructure belonging to our own country.  US?  Try using a US company.  Russia?  Try using a Russian company.

Lastly, the whole point of this is simple.  AV software is a required protection mechanism.  However it is also a threat vector.  Always consider everything when looking at your risks.

Don't give into FUD, for FUD is a path to the dark side!

D

Tuesday, May 16, 2017

WannaCry Reflections

WannaCry Technical

Sorry, your not going to find loads of technical information here in this post.  

Ok, So Non-Technical

Alrighty then.  As the above indicated, this article is not going to be going into the technical guts of the (now) infamous worm that wrecked havoc and cancelled so many weekend plans.  There has been lots of articles (and alot of FUD) writen about it already.  Much of it by people who do not get paid directly to work with malware.  A quick Google search will show you more than you can ever handle.  

People Involved

I wanted to focus some attention on the people involved in dealing with this nasty little worm.  And no, I am not offering biographies on individuals.  Rather I wanted to say how impressed I was with the infosec community as a whole.  People, from all walks of life, different countries, timezones etc came together to work on the problem.  

Even before the worm started spreading, there were individuals who raised alarm over the fears that the vulnerability exploited by the worm.  People on Twitter stated that this one would be bad, "our next MS08-067".  I doubt that many of them could have even guessed how much damage would be wrought.  

It shouldn't be too surprising.  A vulnerability within a pervasive protocol, which would allow for remote code execution and give an attacker full SYSTEM level control, would be too tempting a target for anyone with malicious intent.  

Added to the mystic, was the fact that this flaw was found (and likely utilized) by none other than the NSA.  Only to be stolen and later released by the ShadowBrokers.  

What a perfect storm.  Who'd a thunk it?!?!  Well as we all know, it didn't take long before someone weaponized it, and added a self-replicating ability.  

Throughout the community, people came together to raise the alarm.  Then to analyze the malware and give technical information as to its capabilities.  Then to even work to help neuter the malware with its famous 'kill switch'.  Attribution has been attempted, however I think that effort will go on for a long time to come.

In the meantime, defenders are still working hard to stop the infection, apply patches and help reduce the impact of this worm.
Impact
The impact of the worm will definitely be hard to measure.  We have heard lots of people state that they believe it is the most destructive event in infosec.  I tend to agree.  While I do not have numbers, the ability of the worm to target sensitive files and spread has to give it an edge.  Other worms were definitely more 'disruptive', however many of them still failed to to give the lasting impact of having all of your valuable data rendered unrecoverable.  

The Future

As I have stated before, let no disaster go unused.  There will be good to come out of this.  

First, the importance of patching and keeping OS's updated will likely not be forgotten easily.  Even in hard to patch devices like embedded systems (MRI machines anyone?).  At the very least it gives us a data point to show people a quantifiable cost is for the risk.

Secondly, our "blue teams" importance will be cemented within the mindset of C-level executives.  Yes we may be a 'cost center', however we will firmly be labeled as an important factor in risk reduction.  Again, being able to show, in quantifiable numbers, your value to an organization, is KEY to C-levels understanding.

Thirdly, the importance of working together, worldwide, has been shown.  We are much stronger standing together and working collaboratively than we are apart.  We can come together and truly have a positive impact on worldwide information security.  My hope is, that this realization will empower organizations to open up more, to share information more freely.  To give their employees time (and more importantly money) to go and do those things that do not always benefit the company directly, by helping out the world community.  We are so connected and inter-dependent on each other that the more we collaborate, the stronger we all become.

A Final

I wanted to express my thanks to several people, but wanted to call one out in particular.  , the individual who (at least at first) accidentally registered the first worm's kill site.  He showed what we should strive for.  He helped out tremendously, and not just for the kill site.  But for his technical analysis of the worm, and even more so for his work coordinating between several global organizations to help protect and help people who were infected.  Added to that was the fact that after been given $10K, for his excellent work by @Hacker0x01 he stated it would be split between charities and for education stuff for others.  A true class act!  A beer on me anytime we meet dude!

Monday, May 8, 2017

World Class or Local Class

Again, apologies for another opinion piece.  Again this one has bugged me for a long time.

Another Ramble

I have been in the infosec field a fairly long time.  In addition, I have put myself out there through postings, email, social media, etc.  So I think it is safe to say I have a fairly large target on me in terms of recruiters and people looking for 'skilled' talent.

One of the trends I have noticed for the past 4 or 5 years, have been recruiters calling me up, stating they are looking for 'world class' talent.  Senior skills and people which are hard to find.  Of course they are hard to find.  There are not as many rockstars in any field, as there are simple rocks.  Yet, companies continue to insist they want this talent LOCAL to them.

This makes no sense to me.  If you are looking for diamonds, you do not strip mine a whole area determined to find them....  You go where THEY are!  You spend the time and effort to go to where they exist, and work your magic.

Skilled talent, especially in senior levels are not easy to find, and sometimes impossible to find in your area.  Yet when you find someone, you tell them they have to move.  This is wrong in so many levels.  If you want 'world class' talent, they need to be able to work from anywhere in the 'world'.  Please do not bother me with claims stating how cool your company is, or how you only hire the best, when you refuse to allow them to work from wherever they are.  This is key.

If you do not have a remote work ability, don't waste my time.  Professionals are professionals no matter where they are.  They work hard and have no need for someone to keep looking over their shoulder to ensure they are doing what they are paid for.  Professionals are passionate.  They will be no matter where they are in relation to their boss, director, peers, customers etc.

Final Point

If you are not allowing your professionals to work from anywhere in the world, you are NOT looking for world class talent.  Please stop bothering me and others with your HR shit speaking!  I am good at what I do, VERY good.  If you want me, take me.  If not, GTFO, I'm busy....

Saturday, May 6, 2017

Of Snakeoil and Infosec

To start, apologies for posting another opinion piece.  This topic has been bugging me for a while, and along with a post by another security blogger last week, I felt it needed to be said.

To all infosec vendors, hardware, software, and services....

Please check your grand claims and marketing bullshit at the door.  There is no need for it.  If your product/service is good, we in the community will know it.  We will talk about it.  We will BUY it...  However, if you use terms like 'unhackable', 'unbreakable', '100% secure'....  We will ALSO talk about it, but not in your favor.  Nor will be 'buy' it.  Shit claims like this is why you (and especially your marketing division) are the laughing stock of the rest of the world.  

First

NOTHING is unbreakable (Sorry Oracle, you of all companies should know this is BULLSHIT).  If you claim that your product is 100% secure, EXPECT me to test it.  I will, and I will find its flaws.  And of even greater threat, I WILL publish findings.  

The recent article by Scott Helme about nomx (https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protocol/) was the catalyst for me to write this.  Too many times vendors make grand claims to sell blinkenlights.  Products or services to 'solve' the security problem.  If you make the claim, have the balls to back it up, or shut up.  You are directly responsible for your customers current security issues.  They trust you, believe you, buy into you.  And what do you do?  You sell them snake oil.  Magical cures which in the end, do more harm than good.  

Second

So that brings me to a second point.  If a researcher, or anyone, goes through the work to point out the flaws in your 'widget', man up and respond with respect.  These guys often have more knowledge and have done more work to secure your products than your whole security team.  Responding with threats of litigation, defamation against their skills or character, will not only NOT win you friends, but will actively turn the community against you.  The best defense is not always a good offensive.  It just proves you are an offensive company that should be avoided.

Scott's article is not the only example of such actions being taken.  Infosec history is LITTERED with examples.  (https://www.wired.com/2013/04/ciphercloud-stackexchange/ was a personal favorite).  Even I myself have been accused of false claims against a company when I exposed a companies claims of 'best of breed' encryption to be rubbish.  

Thoughts of a Conclusion

This got me thinking.  Why would a company fight so hard against the community that has conclusively shown their product or service is flawed.  And it hit me....

If you are a honest infosec vendor, you know it's best to work with the community, not against it.  There are thousands of people who would be willing to put forth hard work to help improve security, no matter where it is.  You know it will be worth the effort because the effort is worthwhile.

If you are a snakeoil salesman, a researcher pointing out flaws is threatening you with extinction.  So I can see why you would fight so hard.  Just know, there are no perfect secrets, all truth comes out, and everyone will get what they truly deserve in the end.  Stop before you start, you are not smarter than the rest of the world, we WILL figure you out!

Monday, April 24, 2017

More Malicious Docs, Oh My!

Introduction

Ok, I know malicous documents, specifically .DOC, so how is this one different?  Well, we will get to that in a bit.  I wrote this posting as more of an introduction to Visual Basic script deobfuscation and hope others might find it useful/interesting.

Initial Detections

It all started with many users reporting suspicious emails.  These emails were a little different from the usual "Open this email and enable macros to view the content".  

First, these emails contained a .DOCX rather than the older .DOC or a .DOCM.  Ok, that is odd. 

Secondly, they were encrypted.  The email they were attached to, gave instructions on how to open the email with the password.



Initial Analysis

So the first thing done, is to see what VirusTotal and Hybrid-Analysis have on this encrypted document.  Let's see....

Not starting so good....

Maybe Hybrid has more....

Ok.  So nothing much from any of the usual online sources....  To doublecheck, lets try some of our commandline tools.


So, it is a valid OLE document, however has no macros to speak of.  One issue I noticed, is that OLEID states that the file is not encrypted and not a Word document.  I will follow up on this in the near future.

Decrypting DOCX

So lets see about getting something useful outta this...  To do this, it was quite easy.  I could have used MS Word, however to be a bit safer, lets use LibreOffice....

First, we are presented with this


Ok, once the (correct) password is entered, we finally see the true document....


Interesting.  Seems the document has 3 embedded objects.  We will work on those in a bit.  First, lets see what our tools say about the document NOW!



Ok, now that looks ALOT more malicious.  So far so good I would say.  What more can we tell though?  Those embedded OLE objects look very suspicious.  Lets check it out...


OLEVBA states there is no macro.  Ok, so not using macros...  Lets see what other tools we have will tell us....


Ok, OLEDUMP tells us a bit more.  Three objects embedded.  And they all seem to have the same sizes.  Lets extract them and run a cryptographic hash to see if they are indeed the same....


So they ARE all the same.  Cool.  Lets look at what we got

So looks like standard Visual Basic Script, although obfuscated.  Ok, so now here is where the fun begins....

Visual Basic Deobfuscation

First thing I decided to do, was load the script up in Notepad++ and turn on syntax highlighting

I find syntax highlighting helps alot.  So first thing I like to do, is to start cleaning up the silly cAmElCaSe I see in the document (a simple find/replace works nicely), and put some extra whitespace between all of the functions and subroutines...


Ok, that is a bit better.  First thing I notice, is the use of mathematical functions.  Most likely it is used to represent simple numbers.  Lets go and take care of all of those....


The KyVrqqM function being called here looks ALOT like some sort of decryption routine.  Will look at this in a bit.  

Another thing I noticed while doing the original deobfuscation, is that there appears to be a bunch of junk instructions.


This pattern repeats (with different variables and data) over and over and over again.  When examining the variables, they are only used within these three lines.  Which means they are essentially a "Do Nothing" collection of instructions.  Lets delete them and see what that does to the size of our script...

WOW, doing just that, the file has gone from 464 lines, to just 170.    This also revealed some other 'complication' techniques, like using a function to call a single function.  We can simplify that further...


Lets see where OgkD is called, and convert it into a simple Mid itself (there are a few different functions that do this, including one for Asc, and Chr).  Lets do them all and see what happens...

Down to 158 lines. So fewer gains but still, lets continue!  Next I look for variables that are set but next used (a simple find or count should indicate it is safe to delete.  Then I look for variables that are set to a static piece of data and then used elsewhere (non-mutable).  Those can be substituted with no effect.


Down to 101 lines.  That is alot of junk.  Probably more there that could be removed, but so far, looks like a job well done.  Code is much more readable and it is becoming clearer this script is meant to download something, write it to a file and do something with it.

One item that keeps coming up, over and over again, is this:


I am pretty sure this is some sort of decryption given the field "encodedtext", "key", offset1, offset2.  Lets copy these to another file along with the function....


Two extra functions had to be added in.  Looks like a mathematical one, and a possible xor script.  Lets run and see what it gives...


Now that is Interesting.  We have a couple of http strings, along with some commands designed to run DLLs....  

Downloaded Payload

Now lets try to download those files and see what they give us...

Hmmm, the first link gives us a binary file.  The 'file' command only lists it as 'data'  Not very useful.  What about the second file?  Well that was time wasted.  Unable to find a copy of the file at all.  So lets start on that first one.

The file shows up in VirusTotal interestingly enough.  Still not a true virus, but enough people know about it to show us something.


Something smells familiar though.  My hunch is it has been xor'ed.  I see some xor like function in the Visual Basic script, but I am feeling a bit lazy.  Back to one of Didier's programs, XORSEARCH.


Ok, now that was easy.  Lets see if we can find 73 anywhere in our script?  No dice....  Oh but wait, convert from hex to decimal gives us 115.  Lets look that up....  BINGO!


Looking at that last line, I noticed that the YS function appears to be that same one that looked like an XOR function.  Guess I was right.  XORed given ascii representation of Xb808 with 115 being the decimal key.


So, lets XOR this file and see what pops out on the other end.  For this I will use Didier's tools again (xorsearch -p -s xoredfile.bin)



So this finally gives us our DLL!  So lets look at what VT has to say about it....


So definitely a naughty little program.  I will end it here as my DLL reversing is not yet up to where I want to post publicly about it  :)  Hopefully later...  Hope you enjoyed!

Shout Outs

Here I want to put in a few links and shout outs to places, and tools that I have used and helped me out through my work here.
I was asked on a mailing list of mine to put in some more text.  Well this might not be what he wanted, but thought I would upload a little ugly sed sled (you will see why) to help with the camel case and break things apart a little....

sed 's/function/Function/Ig' | sed 's/set/Set/Ig' | sed 's/end/End/Ig' | sed 's/if/If/Ig' | sed 's/do/Do/Ig' | sed 's/and/And/Ig' | sed 's/write/Write/Ig' | sed 's/read/Read/Ig' | sed 's/responsebody/ResponseBody/Ig' | sed 's/then/Then/Ig' | sed 's/else/Else/Ig' | sed 's/dim/Dim/Ig' | sed 's/sub/Sub/Ig' | sed 's/create/Create/Ig' | sed 's/object/Object/Ig' | sed 's/textfile/TextFile/Ig' | sed 's/environment/Environment/Ig' | sed 's/get/Get/Ig' | sed 's/asc/Asc/Ig' | sed 's/chr/Chr/Ig' | sed 's/mid/Mid/Ig' | sed 's/error/Error/Ig' | sed 's/true/True/Ig' | sed 's/status/Status/Ig' | sed 's/resume/Resume/Ig' | sed 's/send/Send/Ig' | sed 's/open/Open/Ig' | sed 's/next/Next/Ig' | sed 's/for/For/Ig' | sed 's/ to / To /Ig' | sed 's/type/Type/Ig' | sed 's/savetofile/SaveToFile/Ig' | sed 's/close/Close/Ig' | sed 's/loop/Loop/Ig' | sed 's/err.number/Err.Number/Ig' | sed 's/until/Until/Ig' | sed 's/End Function/End Function\n/g' | sed 's/End Sub/End Sub\n/g'

Friday, March 17, 2017

I'm Not Worthy

This post started as a realization. 

I realized that perhaps a part of my personality had sabotaged itself.  Ok, let's turn the clock back a bit and describe the scenario.



About a year ago, I was doing well, and felt pretty successful.  However, something was missing.  Or perhaps I felt I was missing out on opportunities to further myself.  It's a common issue in the IT security field.  We want more...  Either more money, more responsibility, more knowledge, or even the ability to help out more people.  I just felt I needed something.

I saw a position opening at a major company that looked like it would have fit the bill perfectly.  It was at a well know and liked company, doing security (incident response and forensics), and with the benefit of helping tons of people all over the world. It would mean learning some new skills (extra win for me) and would get my name out there (rock star here I come!).  So, why not apply?  Of course I did.  This is where the issues started.

First, this was a major internet services and software company, so I figured there was no way they would want me.  I was sure there would be someone better, even though I know I am good at what I do.  No worries then right?

Not so fast, they called me back.  "WOW", I thought.  Maybe they really would like me.  I did a telephone interview and had a blast.  I have always been good at talking with people, especially when it comes to areas I love so much.  But this was JUST a telephone interview...  I have had tons of those before.  No worries again right?

Then suddenly, I receive a telephone call stating they were interested in bringing me in for an in-person interview.  WTF?!?!  I mean they wanted to FLY me down to California to meet up with them.  Ok, this was indeed getting serious.  But I thought, I am cool, I can do this.

By the time my flight arrived, I had already convinced my wife that this would be a good thing.  I would continue to keep working from home, but for this awesome company.  Can I do it?  Yes I can!

The interview came, and that is when the real trouble started.  No, I did not blow it.  Quite the opposite, I did very well.  Apparently I not only had the skills and drive, but could talk with both the technical and business side of the company.  They seemed to genuinely appreciate me and loved what I had to say.  And the team I applied with, did I mention they were SMART?  Even more so.  It blew me away.

I came away fully thinking I might get the job.  Everything was good...  Or so I thought...

I started getting second thoughts.  I mean, am I truly worthy?


I started feeling that these guys were out of my league.  I started to worry that I would not be able to contribute to a decent standard.  After all, I am not in it just for the pay cheque, I am there to both learn, and to make the world a bit better.  If I am always playing catch-up, I wouldn't feel useful and that would probably end my entire career  one way or another. 

It became so bad, that when I was offered the job, I spent a whole weekend going back and forth.  Eventually I turned it down.  I am sure I surprised them, I know I surprised myself, and even surprised my wife (who doesn't care for me changing jobs too often).  It was one of the harder decisions of my professional career.



Ok, now fast forward a bit (well, all the way back to present).  I started to reflect again on this event and started to realize a few things.  I had sabotaged myself.  Obviously I was qualified for the job, and they had truly wanted me on their team.  I remembered reading something by Dr. Barker from the UK about imposter syndrome.  http://cyber.uk/imposter/   I have turned out to be a victim of my own self-doubt and feelings of being an imposter. 

Now nothing can change the past, I know that, and accept it.  But reflection and learning about this even I feel has helped me realize some of my limitations, and facets of self that I need to change.  I know, nothing particularly ground-breaking, however as this event kept popping up in my mind, I felt a need to understand it further.  Posting this blog is part of that process.  Healing and self-understanding are very important, especially in a field as dynamic and driven as IT security.

Let me know what you think in the comments.  I am sure many of us have had such times or moments when we waivered. 

Derek