Friday, December 30, 2011

Ten Memorable InfoSec Stories of 2011

A question of trust: the hacking of Root CAs (Certificate Authorities)

Back in March, a root certificate authority named Comodo was hacked, and used by a self-proclaimed Iranian hacker to issue legitimate SSL certificates for a number of sites, including Google, Skype, Mozilla, Live.com and Yahoo. SSL certificates confirm that a secure site really is what it says it is; your browser has a list built into it of certificate authorities that it trusts, so when you visit an SSL site it checks the certificate against the issuer. If the issuer isn't on the list, you get a warning.

If a hacker creates a "fake" certificate from the real authority, then any site is, as far as your computer or phone knows, legitimate if it presents that certificate. The implications for shopping or other interaction are huge: you become vulnerable to a man-in-the-middle (MITM) attack, where someone operates a site using the "fake" certificate between you and the real site. From your end, it's a legitimate SSL site. For the person running it, they can see everything passing between you and the real site. Comodo's dodgy certificates were revoked, but it depended on whether people accepted a browser update as to whether or not they would be protected.

Then in July, the Dutch SSL certificate authority Diginotar (which provided the SSL certificates for thousands of sites including the Dutch government) was hacked, and a number of certificates, including one for Google, issued. These certificates were used for a MITM attack on Iranian users of Google Mail – another indication that web security really does have human consequences.

Many experts now believe that the current SSL CA system is broken. One expert in this area, Moxie Marlinspike, proposes that all of the current problems with the CA system can be reduced to a single missing property, called "Trust Agility", and he has proposed a secure replacement for the existing the SSL CA system called "Convergence".

This story is perhaps the most important thing to have happened to InfoSec in 2011 – and how it is dealt with in 2012 may be crucial.

Full story: here

Anonymous gets busy

The loose collective of hackers known as Anonymous were quite busy in 2011. The group first gained widespread attention back in 2008 with their "Project Chanology" raids on the Church of Scientology. One of their symbols, the Guy Fawkes mask (first popularized by the comic book and film "V for Vendetta) has now become instantly recognisable, as well as becoming associated with the Occupy Wall Street movement. Their self description in the form of an aphorism is: "We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us."

Here are some of their more memorable activities of the year ...

* Operations in support of the Arab Spring Democracy movements in Egypt, Tunisia and Libya - Anonymous performed DDoS attacks on eight Tunisian government websites which may have led to an upsurge of internet activism among Tunisians against their government. Anonymous also attacked the websites of the incumbent governments in Egypt and Libya along with the internet censorship methods being used in these countries.

* In February came the attack on HBGary Federal - in retaliation for the CEO's (Aaron Barr) claims of having infiltrated Anonymous, members of Anonymous hacked the website of HBGary Federal, took control of the company's e-mail, dumped 68,000 e-mails from the system into the public domain, erased files, and took down their phone system.

* Next came the attack Sony websites (Operation Sony) in response to Sony's lawsuit against George Hotz and, specifically due to Sony's gaining access to the IP addresses of all the people who visited George Hotz's blog as part of the libel action, terming it an 'offensive against free speech and internet freedom'. Although Anonymous admitted responsibility to subsequent attacks on the Sony websites, Anonymous branch AnonOps denied that they were the cause behind a major outage of the Playstation Network and Qriocity services in April 2011. On May 4, 2011, Sony confirmed that individual pieces of personally identifiable information from each of the 77 million accounts appeared to have been stolen. The outage lasted for approximately 23 days.

* In August 2011, Operation BART was launched in response to San Francisco Bay Area Rapid Transit's shutdown of cell phone service in an attempt to disconnect protesters from assembling violently in response to a police shooting, Anonymous sent out a mass email/fax bomb to BART personnel and organized multiple mass physical protests at the network's Civic Center station.

* Several contingents of Anonymous have given vocal support to the Occupy Wall Street movement, with vast numbers of members attending local protests and several blogs run by members covering the movement extensively.

* In early August, Anonymous launched Operation Syria and hacked the Syrian Defense Ministry website. In September, a group tied to Anonymous appeared on Twitter, calling themselves RevoluSec (Revolution Security). They defaced Syrian websites, including the Syrian Central Bank and other pro-regime sites. Telecomix worked with Anonymous to show Syrians how to bypass the internet censorship put in place by the regime.

* Operation Mayhem: on November 18, Anonymous released a video claiming to have released the "Guy Fawkes Virus" on Facebook and that they will release it on Twitter soon. The first reason claimed for its release was to protest the violence of the police force against Occupy Wall Street protestors, the second was to protest the Stop Online Piracy Act and the third reason was to counter anyone who claims to be against Anonymous.

* Ending off the year, on December 24th, Anonymous gained access to thousands of e-mail addresses and credit card information from security firm Stratfor and made it public. Anonymous commented that they did it because the data was unencrypted - to let the public know about their vulnerability.

Full story: here 

Hacking the power plant

At Black Hat USA, SCADA security researcher Dillon Beresford gave one of the most alarming public demonstrations of the fragility of security in power control systems. Beresford, a researcher with NSS Labs, demonstrated how a backdoor in Siemens industrial control systems let him get inside, capture passwords and reprogram PLC logic such that he could shut down the systems altogether or cause them to eventually crash. He had initially postponed a presentation earlier in the year on his vulnerability finds due to concerns about possible risk to human life. Remember that the same Siemens industrial control systems were targeted successfully by the Stuxnet worm in 2010, which infected several Iranian nuclear facilities with devastating effect by making use of custom a PLC rootkit along with several zero-day vulnerabilities and fake SLL certificates from two compromised CAs.

Full story: here

Hacking insulin pumps

SCADA security expert Jerome Radcliffe, a diabetic, had become curious about the security of the devices that keep his blood sugar in check. So he started studying how continuous glucose monitors (CGM) and insulin pumps could be hacked, and discovered that at least four models of insulin pumps sold by Medtronic can be hacked wirelessly.

An attacker could remotely disable the pumps or alter the insulin dosage that's automatically delivered to the user. Radcliffe demonstrated that a hacker could illicitly turn off the pump remotely, with the device offering only a small chirp as a response, and also remotely manipulate any setting on the pump without the user's knowledge. "It's basically like having root on the device, and that's like having root on the chemistry of the human body," he said. It was a frightening but enlightening find given the life-or-death consequences. Radcliffe was also able to disrupt and jam the GSM devices.

Full story: here

'Warflying': hacking in midair

For around US$6,000, security researchers Mike Tassey and Richard Perkins built a radio-controlled model airplane with an onboard computer running linux with 4G connectivity that could be used as a hacking "drone" to wage aerial attacks on targets that are unreachable on land. They brought their Wireless Aerial Surveillance Platform (WASP) to Las Vegas for Defcon to demonstrate the potential threat of "warflying."

Full story: here

Hacking MacBook laptop batteries

Security researcher Charlie Miller demonstrated this year that the embedded controllers on laptop batteries are hackable. Miller found that Apple's laptop battery has two hardcoded passwords that could be exploited to make changes to the smart battery system's firmware. The passwords are a way for Apple to update the firmware, but they also leave it wide open for abuse. Miller disassembled his MacBook's batteries and found that Apple uses one default password to unlock the battery and another to access the firmware. If an attacker were to obtain those passwords, then he could eavesdrop on any communication between the battery and the laptop, as well as inject malicious code.

Full story: here

The return of Google-fu

Australian security consultant Daniel Grzelak made an unexpected discovery as he searched for publicly accessible databases containing e-mail address and password pairs. The entire user database of Groupon's Indian subsidiary Sosasta.com including cleartext usernames and passwords was accidentally published to the Internet and indexed by Google.

Grzelak used Google to search for SQL database files that were web accessible and contained keywords like "password" and "gmail". "A few hours and tweaks later, this database came up," he said. "I started scrolling, and scrolling and I couldn't get to the bottom of the file. Then I realised how big it actually was."

As a side project, he created shouldichangemypassword.com, a website that allows any Internet user to search a database of known-compromised e-mail address and password pairs to see if their password has been compromised. Grzelak was searching for more compromised accounts to add to the website's database when he stumbled across the Sosasta database.

Full story: here

Pension fund shoots itself in the foot

Australian information security professional Patrick Webster had noticed his pension fund, First State Superannuation, allowed logged in members to access online statements via a "direct object reference" bug - one which is included in OWASP's infamous top ten list of Web Application security bugs. Sure enough when Webster incremented the document ID number in the URL linking to his super statement, up popped another member's statement. The details revealed on the statement were a fraudster's dream, including full names, addresses, email addresses, membership number, age, insurance information, pension amount, fund allocations, beneficiaries and employer information.

First State’s response to being quietly tipped off by Webster with his valuable information was extremely stupid, which is why it attracted a large amount of media attention ... they got police and lawyers involved to threaten Webster with arrest and also issued him a bill for the amount it would cost to fix the bug, then demanded access to his computer equipment.

After the storm of controversy following their heavy handed approach, they backed down from their stance but are now facing an investigation by the Australian Federal Privacy Commissioner as to why the security vulnerability was out there, undiscovered, for a period of 18 months or more. The fund's contracts with Australian government departments, such as ASIO (Australia's CIA), were also looking a little bit shaky.

Full story: here 

Remotely starting a car via text message

There's war driving, and then there's war texting. Security researcher Don Bailey discovered how simple it is to remotely disarm a car alarm system and control other GSM and cell-connected devices: He showed off his find by remotely starting a car outside Caesars Palace in Las Vegas during the Black Hat USA and DefCon shows.

Full story: here

Mini-hacker time-travels

A 10-year-old girl who attended the inaugural DefCon Kids conference within the DefCon show this year nearly stole the show with her hack. "CyFi" said she was getting bored with her favorite mobile gaming app, so she came up with a neat trick to switch the time on her device to make it more challenging. What she didn't realize at first was that she had actually discovered a whole, new class of zero-day bugs across multiple tablet and smartphone operating systems. "I wasn't making enough progress, so I was trying to find a way around that ... to turn the time forward on the device," she said. It wasn't until her mom caught wind that CyFi had found a way to game her game that things got real. Her mom, a seasoned DefCon attendee, knew this was more than just a clever child's trick: CyFi had basically found a way to restart the clock on a mobile gaming app's free trial. "She's going out of the app, and switching the time on the device, and then she goes back in her app," her mom said.

Full story: here



+ - - - - - - - - - - - - - - - - - - - - - - - +
| Harris Walker Real Estate, Perth, WA, AUS     |
| Specialists in residential housing sales and  |
| property management in Perth, Australia.      |
+ - - - - - - - - - - - - - - - - - - - - - - - +



Sunday, October 2, 2011

12 Effective Ways To Improve Your Programming

1. Never Stop Learning and Reading
Read books, not just websites.
Read for self-improvement, not just for the latest project.
Read about improving your trade, not just about the latest technology.
Some of the books listed here would be a good start: The most influential programming books of all time

2. Work With People Smarter Than Yourself
Working with smarter and/or more experienced developers will teach you a great deal.

3. Become a Polymath (or 'Jack-of-all-Trades')
Decide to be a 'Jack-of-all-Trades', allowing you to avoid becoming 'pigeon-holed' into one specialty, which can stagnate your programming skills, as well as hurt your future employment prospects.

4. Read and Document Other People's Code
Writing code is significantly easier than reading someone else's code and figuring out what it does.

5. Get Programming Experience on a Real Project
There is nothing like getting in and coding, especially under pressure - work on a real project, with real fickle customers, with real, ever-changing requirements and with real engineering problems.

6. Teach Others About Programming
This will force you to understand something at a completely different level, since you have to explain it to someone else.

7. Learn One New Programming Language Every Year
One year gives you enough time to get past the basics - it pushes you towards understanding what's beneficial in that language, and to be able to program in a style native to that language.

8. Complete One New Pet Project Every Year
Start a "pet" project and follow it to completion and delivery; a good pet project will push your boundaries and keep you interested.

9. Learn Assembly Language
Learning a low level language like assembly gives you insight into the way computers 'think' without any high-level abstractions; the elegance at this level is surprising.

10. See Your Application From the End User's Perspective
Interact with the end-user to see, through their eyes, how they use the software; end users are typically not technical, and they often see software as a magical piece of work, while you see software as a logical set of steps.

11. Start a Physical Exercise Program
You work a whole lot better when you're in good physical shape - problems become easier and less overwhelming, wasting time is much less of a temptation, you can think clearer, and working through things step by step doesn't seem an arduous task.

12. Learn Touch Typing
Learning to touch type is a quick and effective way to give your productivity a boost as a programmer.

Cross posted from: Dodgy Coder - How To Become a Better Programmer


Follow @dodgy_coder

Subscribe to posts via RSS


Sunday, September 25, 2011

Forgotten Windows 2008 Server Password

HOW TO: Gain access to a Windows Server 2008 running RAID when the local administrator password is forgotten

Hopefully this will never happen to you, but this did happen to me this week:

The original problem
Inhouse IT support was diagnosing an issue with all inbound connections being rejected to a Windows 2008 server machine (a dual quad-core Dell Poweredge running 4 disk RAID PERC 6/i). It turned out the problem was that Windows Firewall was setup as using the "public" profile for its firewall rules.

Since the server should have been assigned to the "domain" profile for the firewall rules, and it seemed like the machine was not on the domain, the IT team (in their infinite wisdom) decided it would be a good idea to "bump" the server onto the domain, that is, take it off the domain and then re-add it to the domain! Remember we are talking about a production application server machine which runs the accounting software (including payroll) for the whole company.  By the way, the domain controller was administered in a country exactly half way around the world, such that any access to higher up corporate IT support would have had to wait another 12 hours or so.

The new problem
The IT team didn't bother to confirm they had the local administrator password for the server. And since they had now taken the server OFF the domain, it could no longer be accessed using the domain user and password combination that they had always used in the past. But nobody in the company knew the local administrator password for the machine! If there was a flurry of activity before this realization, occurred, then all hell broke loose when it sank in that in 14 hours time the company's payroll would need to be processed and there was NO WAY TO ACCESS THE PRODUCTION APPLICATION SERVER RUNNING THE CORPORATE ACCOUNTING SOFTWARE! MASSIVE IT FAIL ~

It was about this time that things started heating up, and calls started circulating around the globe, waking people up in the middle of the night, etc... If there's anything that motivates people to work hard its the possibility of not being payed their wages due to a technical issue. But the admin password, it now seemed, was just lost forever, the guy that had installed the server originally about 2 years ago had long ago left the company and was not answering his mobile phone, yadda yadda yadda. Nevertheless he probably wouldn't have known the password anyway even if he could be contacted, but he was currently the main focus of hope.

About this point I was commandeered into the team trying to solve the problem, and after a bit of searching came upon the following Q&A post on the excellent ServerFault.com ...

http://serverfault.com/questions/428/what-is-the-best-way-to-gain-access-when-the-password-is-unknown

There is two main types of free linux-based "boot crackers" which crack windows machines by booting a custom version of linux with a limited user interface ...

Type 1: Rainbow Table Cracker
A boot cracker that brute forces passwords using lookup tables (rainbow tables). This type does not need to actually change the file system of the machine, but just reads the encrypted Windows SAM (Security Accounts Manager) password file from the machine and cracks it using lookup tables to gain access to the administrator password. Various comments on forums generally say that in most cases this will succeed, and will take no more than a few minutes.

Type 2: Password Reset Cracker
A boot cracker that resets the local administrator password on the machine. This type just clears the password and in doing so has to write to the file system. For this reason it is considered a little more risky. Also that fact that if the EFS (Encrypted File System) is being used, then it can result in the password not being cleared but actually being scrambled, and furthermore, irretrievable.

Using the cracker
I initially decided to try ophcrack since it was type 1, and didn't write back to the file system. This seemed initially to work like a charm, booting first time into its linux GUI, but when we tried to mount the file system (which was 4 disk RAID) we realised that the PERC 6/i RAID controller wasn't recognised by the cracker's linux distro. The linux command "fdisk -l" only listed one drive - that of the DVD-ROM drive which the cracker booted with - so it didn't have access to the RAID file system.

Success!
So onto the next option; using a type 2 cracker called "NTPASSWD" - we burnt the files to a CD-ROM and booted. This one has a command line only interface, but it worked like a charm - booted first time and had access to the RAID file system. It listed all the local users on the system. So we selected which one to clear the password for (Administrator) and this was all that was needed. Hey presto, restarted the machine and no login was needed - it had worked!

If this one hadn't worked, there was one final cracker that I probably would have tried, a commercial cracker, here, that boots in a "Pre-installation" version of Windows and claims to support all major RAID controllers and hard disk hardware around. The cost was something like $199 but this would have been well worth it if the other free crackers hadn't worked.

Follow @dodgy_coder

Subscribe to posts via RSS

Sunday, September 18, 2011

Top Ten Books about Hackers

Here is my list of what I believe are ten of the best books about hackers in real life. All of these include descriptions of actual events, and the personalities involved in hacking. Feel free to post your alternative suggestions in the comments section below. For a brief description of each one please check this page out here. Enjoy!

  1. Ghost in the Wires: My Adventures as the World's Most Wanted Hacker [2011]
    By Kevin Mitnick, Steve Wozniak and William L. Simon

  2. Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground [2011]
    By Kevin Poulsen

  3. The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage [1985]
    By Cliff Stoll

  4. The Fugitive Game: Online with Kevin Mitnick [1997]
    By Jonathan Littman

  5. Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet [2010]
    By Joseph Menn

  6. The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers [2005]
    By Kevin Mitnick and William L. Simon

  7. The Hacker Crackdown: Law And Disorder On The Electronic Frontier [1993]
    By Bruce Sterling

  8. The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen [1997]
    By Jonathan Littman

  9. Masters of Deception: The Gang That Ruled Cyberspace [1995]
    By Michele Slatalla

  10. Unmasked [2011]
    By Peter Bright, Nate Anderson, Jacqui Cheng, Eric Bangeman and Aurich Lawson (of ArsTechnica)

Follow @dodgy_coder

Subscribe to posts via RSS

Sunday, September 4, 2011

Top Ten Most Influential Programming Books of All Time

As voted on by several thousand members of StackOverflow in this article here.

The original question was:

"If you could go back in time and tell yourself to read a specific book at the beginning of your career as a developer, which book would it be."

Since it was first posed back in 2008, this question has become the second most popular question of all time on StackOverflow.

Here are the results:
  1. Code Complete (2nd Edition)
    By Steve McConnell
    Published: July 7, 2004
    Publisher: Microsoft Press
    Amazon Link: here

    Widely considered one of the best practical guides to programming, this book has been helping developers write better software for more than a decade. The second edition was updated with leading-edge practices and hundreds of new code samples, illustrating the art and science of software construction. Capturing the body of knowledge available from research, academia, and everyday commercial practice, McConnell synthesizes the most effective techniques and must-know principles into clear, pragmatic guidance. No matter what your experience level, development environment, or project size, this book will inform and stimulate your thinking, and help you build the highest quality code.

  2. The Pragmatic Programmer: From Journeyman to Master
    By Andrew Hunt and David Thomas
    Published: October 30, 1999
    Publisher: Addison-Wesley Professional
    Amazon Link: here

    Like any other craft, computer programming has spawned a body of wisdom, most of which isn't taught at universities or in certification classes. Most programmers arrive at the so-called tricks of the trade over time, through independent experimentation. In The Pragmatic Programmer, Andrew Hunt and David Thomas codify many of the truths they've discovered during their respective careers as designers of software and writers of code. The cool thing about this book is that it's great for keeping the programming process fresh. The book helps you to continue to grow and clearly comes from people who have been there.

  3. Structure and Interpretation of Computer Programs, Second Edition
    By Harold Abelson, Gerald J Sussman and Julie Sussman
    Published: August 1, 1996
    Publisher: McGraw-Hill Science/Engineering/Math
    Amazon Link: here

    Teaches readers how to program by employing the tools of abstraction and modularity. The authors' central philosophy is that programming is the task of breaking large problems into small ones. You will learn a thing or two about functional programming, lazy evaluation, metaprogramming (well, metalinguistic abstraction), virtual machines, interpreters, and compilers. The book was originally written for the famous 6.001, the introductory programming course at MIT. It may require an intellectual effort to read, but the reward is well worth the price.

  4. The C Programming Language (2nd Edition)
    By Brian W Kernighan and Dennis M Ritchie
    Published: April 1, 1988
    Publisher: Prentice Hall
    Amazon Link: here

    Concise and easy to read, it will teach you three things: the C programming language, how to think like a programmer, and the C abstract machine model (what's going on "under the hood"). Co-written by Dennis Ritchie, the inventor of the C programming language.

  5. Introduction to Algorithms
    By Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest and Clifford Stein
    Published: July 31, 2009
    Publisher: The MIT Press
    Amazon Link: here

    Introduction to Algorithms, the 'bible' of the field, is a comprehensive textbook covering the full spectrum of modern algorithms: from the fastest algorithms and data structures to polynomial-time algorithms for seemingly intractable problems, from classical algorithms in graph theory to special algorithms for string matching, computational geometry, and number theory. The revised third edition notably adds a chapter on van Emde Boas trees, one of the most useful data structures, and on multithreaded algorithms, a topic of increasing importance.

  6. Refactoring: Improving the Design of Existing Code
    By Martin Fowler, Kent Beck, John Brant and William Opdyke
    Published: July 8, 1999
    Publisher: Addison-Wesley Professional
    Amazon Link: here

    Refactoring is about improving the design of existing code. It is the process of changing a software system in such a way that it does not alter the external behavior of the code, yet improves its internal structure. With refactoring you can even take a bad design and rework it into a good one. This book offers a thorough discussion of the principles of refactoring, including where to spot opportunities for refactoring, and how to set up the required tests. There is also a catalog of more than 40 proven refactorings with details as to when and why to use the refactoring, step by step instructions for implementing it, and an example illustrating how it works The book is written using Java as its principle language, but the ideas are applicable to any OO language.

  7. Design Patterns: Elements of Reusable Object-Oriented Software
    By Erich Gamma, Richard Helm, Ralph Johnson and John Vlissides (Also known as "The Gang of Four")
    Published: November 10, 1994
    Publisher: Addison-Wesley Professional
    Amazon Link: here

    Design Patterns is a modern classic in the literature of object-oriented development, offering timeless and elegant solutions to common problems in software design. It describes patterns for managing object creation, composing objects into larger structures, and coordinating control flow between objects. The book provides numerous examples where using composition rather than inheritance can improve the reusability and flexibility of code. Note, though, that it's not a tutorial but a catalog that you can use to find an object-oriented design pattern that's appropriate for the needs of your particular application--a selection for virtuoso programmers who appreciate (or require) consistent, well-engineered object-oriented designs.

  8. The Mythical Man-Month: Essays on Software Engineering
    By Frederick P. Brooks
    Published: August 12, 1995
    Publisher: Addison-Wesley Professional
    Amazon Link: here

    Few books on software project management have been as influential and timeless as The Mythical Man-Month. With a blend of software engineering facts and thought-provoking opinions, Fred Brooks offers insight for anyone managing complex projects. These essays draw from his experience as project manager for the IBM System/360 computer family and then for OS/360, its massive software system. Now, 20 years after the initial publication of his book, Brooks has revisited his original ideas and added new thoughts and advice, both for readers already familiar with his work and for readers discovering it for the first time.

  9. Art of Computer Programming, Volume 1: Fundamental Algorithms (3rd Edition)
    By Donald E. Knuth
    Published: July 17, 1997
    Publisher: Addison-Wesley Professional
    Amazon Link: here

    The bible of all fundamental algorithms and the work that taught many of today's software developers most of what they know about computer programming. One of the book's greatest strengths is the wonderful collection of problems that accompany each chapter. The author has chosen problems carefully and indexed them according to difficulty. Solving a substantial number of these problems will help you gain a solid understanding of the issues surrounding the given topic. Furthermore, the exercises feature a variety of classic problems.

  10. Compilers: Principles, Techniques, and Tools (2nd Edition)
    By Alfred V. Aho, Monica S. Lam, Ravi Sethi and Jeffrey D. Ullman
    Published: September 10, 2006
    Publisher: Prentice Hall
    Amazon Link: here

    Known to professors, students, and developers worldwide as the "Dragon Book," the latest edition has been revised to reflect developments in software engineering, programming languages, and computer architecture that have occurred since 1986, when the last edition published.  The authors, recognizing that few readers will ever go on to construct a compiler, retain their focus on the broader set of problems faced in software design and software development.

    Follow @dodgy_coder

    UPDATE:  There was just too many great books that finished outside of the top 10 to ignore... below I've added the programming books which finished placed 11th through to 30th in the survey... enjoy!

  11. Head First Design Patterns
    By Elisabeth Freeman, Eric Freeman, Bert Bates and Kathy Sierra
    Published: November 1, 2004
    Publisher: O'Reilly Media
    Amazon Link: here

  12. Gödel, Escher, Bach: An Eternal Golden Braid (20th Anniversary Edition)
    By Douglas Hofstadter
    Published: February 5, 1999
    Publisher: Basic Books
    Amazon Link: here

  13. Effective C++: 55 Specific Ways to Improve Your Programs and Designs (3rd Edition)
    By Scott Meyers
    Published: May 22, 2005
    Publisher: Addison-Wesley Professional
    Amazon Link: here

  14. Clean Code: A Handbook of Agile Software Craftsmanship
    By Robert C Martin
    Published: August 11, 2008
    Publisher: Prentice Hall
    Amazon Link: here

  15. Programming Pearls (2nd edition)
    By Jon Bentley
    Published: October 7, 1999
    Publisher: Addison-Wesley Professional
    Amazon Link: here

  16. Working Effectively with Legacy Code
    By Michael Feathers
    Published: October 2, 2004
    Publisher: Prentice Hall
    Amazon Link: here

  17. CODE: The Hidden Language of Computer Hardware and Software
    By Charles Petzold
    Published: November 11, 2000
    Publisher: Microsoft Press
    Amazon Link: here

  18. Peopleware: Productive Projects and Teams (2nd Edition)
    By Tom DeMarco and Timothy Lister
    Published: February 1, 1999
    Publisher: Dorset House
    Amazon Link: here

  19. Coders at Work: Reflections on the Craft of Programming
    By Peter Seibel
    Published: September 16, 2009
    Publisher: Apress
    Amazon Link: here

  20. Effective Java (2nd Edition)
    By Joshua Bloch
    Published: May 28, 2008
    Publisher: Prentice Hall
    Amazon Link: here

  21. Patterns of Enterprise Application Architecture
    By Martin Fowler
    Published: November 15, 2002
    Publisher: Addison-Wesley Professional
    Amazon Link: here

  22. The Little Schemer (4th Edition)
    By Daniel P. Friedman, Matthias Felleisen, Duane Bibby
    Published: December 21, 1995
    Publisher: The MIT Press
    Amazon Link: here

  23. The Inmates Are Running The Asylum: Why High Tech Products Drive Us Crazy and How to Restore the Sanity
    By Alan Cooper
    Published: March 5, 2004
    Publisher: Sams - Pearson Education
    Amazon Link: here

  24. The Art of UNIX Programming
    By Eric S Raymond
    Published: October 3, 2003
    Publisher: Addison-Wesley Professional
    Amazon Link: here

  25. Practices of an Agile Developer
    By Venkat Subramaniam and Andy Hunt
    Published: July 1, 2005
    Publisher: Pragmatic Bookshelf
    Amazon Link: here

  26. The Elements of Style: 50th Anniversary Edition
    By William Strunk and E. B. White
    Published: October 25, 2008
    Publisher: Longman
    Amazon Link: here

  27. Test-Driven Development: By Example
    By Kent Beck
    Published: November 18, 2002
    Publisher: Addison-Wesley Professional
    Amazon Link: here

  28. Don't Make Me Think: A Common Sense Approach to Web Usability
    By Steve Krug
    Published: August 28, 2005
    Publisher: New Riders Press
    Amazon Link: here

  29. Domain Driven Design: Tackling Complexity in the Heart of Software
    By Eric Evans
    Published: August 30, 2003
    Publisher: Addison-Wesley Professional
    Amazon Link: here

  30. Modern C++ Design: Generic Programming and Design Patterns Applied
    By Andrei Alexandrescu
    Published: February 23, 2001
    Publisher: Addison-Wesley Professional
    Amazon Link: here


    Follow @dodgy_coder

Sunday, August 28, 2011

Meet Ice IX, Son Of ZeuS

Earlier this year the online banking malware ZeuS trojan's source code was leaked. One of the predictions made by security researchers at the time was that the leaked code would be used by independent malware developers, who would explore it and develop their own hybridized versions of ZeuS, adding custom features and advancements to it.

A new trojan was briefly presented to cybercriminals in the Russian-speaking underground in late April 2011 (as v1.0.0). The developer who wrote the new trojan, and named it "Ice IX", openly declared that he developed his new trojan based on the ZeuS v2 source code, and in doing so allegedly perfecting flaws and bugs he believed needed fixing to improve the product's value to its cybercriminal customers.

What's in a name: the meaning of "Ice IX"
The naming of Ice IX is quite interesting; there are a number of sources from which the developer could have been inspired to name the new trojan Ice IX. I've listed these in order from "most likely" to "least likely" to have been the inspiration.

  1. Ice 9 is a fictional computer virus from the film "The Recruit" (2003). The malware, named Ice-9 in tribute to Kurt Vonnegut's ice-nine (see item no. 8 below), would erase hard drives and travel through power sources which are not protected; possibly erasing data from every computer on Earth.
  2. Ice 9 is an album by Russian rock band Smyslovye Gallyutsinatsii, two songs from which won the Russian Golden Gramophone award twice. The band is also known under a much shorter name "Glyuki", a slang term, which means basically the same as the long name: glitches in your brain. More: http://en.wikipedia.org/wiki/Smyslovye_Gallyutsinatsii
  3. ICE is a well known cyberpunk reference to "Intrusion Countermeasures Electronics" - software which works to prevent intruders/hackers/cyberpunks getting access to sensitive data. It is "visible" in cyberspace as actual walls of ice, stone, or metal. Black ICE refers to ICE that are capable of killing the intruder if deemed necessary or appropriate; some forms of black ICE may be artificially-intelligent.  More: http://en.wikipedia.org/wiki/Intrusion_Countermeasures_Electronics
  4. In cryptography, ICE (Information Concealment Engine) is a block cipher published by Kwan in 1997. The ICE algorithm is not subject to patents, and the source code is in the public domain. More: http://en.wikipedia.org/wiki/ICE_(cipher)
  5. The term ICE, referencing the cyberpunk usage, has been adopted by some real-world security software manufacturers: BlackICE, security software made by IBM Internet Security Systems. Black Ice Defender, security software made by Network ICE. Network ICE, a security software company. 
  6. On April 28, 2009, the Information and Communications Enhancement Act, or ICE Act for short, was introduced to the United States Senate by Senator Tom Carper to make changes to the handling of information security by the federal government, including the establishment of the National Office for Cyberspace. More: http://www.opencongress.org/bill/111-s921/show
  7. Ice IX is a form of solid water stable at temperatures below 140 K and pressures between 200 and 400 MPa. It has a tetragonal crystal lattice and a density of 1.16 g/cm³, 26% higher than ordinary ice. It is formed by cooling ice III from 208 K to 165 K (rapidly—to avoid forming ice II). Its structure is identical to ice III other than being proton-ordered. More: http://en.wikipedia.org/wiki/Ice_IX
  8. Ice-nine is a fictional material conceived by writer Kurt Vonnegut in his 1963 novel "Cat's Cradle". It is different from, and does not have the same properties as, the real-world ice polymorph Ice IX; existing, for example, as a stable solid at room temperature and regular atmospheric pressure. More: http://en.wikipedia.org/wiki/Ice-nine
  9. Ice 9 is a song by Joe Satriani from his album Surfing with the Alien.
  10. Ice Nine is a first-person shooter game for the Game Boy Advance console. More: http://en.wikipedia.org/wiki/Ice_Nine_(game)
  11. A substance called Ice 9 is referred to in the Nintendo DS game "999: Nine Hours, Nine Persons, Nine Doors". It seems to be a reference to Vonnegut's ice-nine substance, and not to the real thing. More: http://en.wikipedia.org/wiki/999:_Nine_Hours,_Nine_Persons,_Nine_Doors
  12. Ice Nine is the name of a new screenplay which is currently in development by New York production company Whiskey Outpost. More: http://whiskeyoutpost.com/ice.html
Wow, bet you never knew there was so many references to ICE and ICE 9 in the world right? !! So ... back onto the Malware form of Ice IX...

Tracker Evasion
The new feature considered most valuable by Ice IX's developer is the implementation of a defense mechanism designed to evade Tracker sites, which he managed to implement in version 1.0.5 of the Ice IX trojan. Repeatedly stressed by Ice IX's developer, his buyers will finally be able to sidestep what has apparently become quite the hurdle for cybercriminals - ZeuS and SpyEye trackers. The two main tracker sites, "ZeuS tracker" and "SpyEye tracker" are operated by a Swiss-based organization which monitors and reports malicious C&C (Command and Control) servers to web users, service providers, CERTs and law enforcement agencies. Ice IX's developer claims that the evasion mechanism means the malware can be hosted on standard (legitimate) hosting servers, as opposed to having to use so called "bulletproof" servers which are expensive and typically operate specifically to service cybercrime-based customers.

A Better Injection Mechanism
The injection mechanism refers to how the malware is able to "inject" code and data into the webpage of an online banking site while the user is actually using the site in order to alter the function of the page. Typically ZeuS has had problems when injecting into javascript and also had difficulty maintaining original look and feel of a page when CSS was used. Ice IX seems to have overcome some of these issues, giving the malware a much better success rate.

Marketing the Malware
Extracts from the original text posted by Ice IX's developer in a Russian forum, translated to English:

Ice 9 is a new private Form Grabber-bot based on ZeuS, but a serious rival to it. Built on a modified ZeuS core, the core was re-worked and improved. The bypassing of firewalls and other proactive defenses was perfected. Moreover, the injection mechanism has been improved, allowing much more stability for the injections. The main purpose of this trojan was to counteract trackers, raising the conversion rate and the bots' TTL (time to live), as compared to its predecessor. These features were successfully implemented as we constantly work to further improve the code.

Main Functions

  • Keylogging
  • HTTP and HTTPS Form Grabbing, injecting its own code into IE and into IE-based browsers (Maxton, AOL, etc..), as well as Mozilla FireFox.
  • .sol Cookie Grabbing and scraping info from saved forms
  • FTP client credentials grabbing: FlashFXP, Total Commander, WsFTP 12, FileZilla 3, FAR Manager 1, 2, WinSCP 4.2, FTP Commander, CoreFTP, SmartFTP
  • Windows Mail, Live Mail, Outlook grabbing
  • Socks with backconnect possibility
  • Real-Time screenshots, plus the option to automate taking screenshots while the bot browses to preset URLs
  • Grabs certificates from MY storage space and clears storage (certificates marked as “Non-Exportable” cannot be exported correctly). Once cleared, all new certificates will be sent to the bot master's C&C server.
  • Upload specific files from the infected machine or perform searches on local disks enabling wildcards.
  • TCP protocol traffic sniffer
  • Elaborate set of commands to control the infected PCs 
Advantages
  • Protected from trackers¹
  • Host your botnet with conventional hosting, not needing bulletproof servers, which will save you loads of money.
  • Better bot conversion rate², frequent version upgrades and tech support.
  • Developing more modules and features may be negotiated per the client’s request.
¹ By trackers, the developer means the ZeuS tracker and SpyEye tracker: Swiss-based Anti malware organizations.
² Bot conversion rate is the ratio of the number of bots which actually communicate with the C&C server divided by the total number of bots infected.

Licensing and Prices for Version 1.0.5

  • BASIC LICENSE: Trojan with hardcoded C&C server: $600. You get the Bot + the Builder that generates the configuration file.
  • COMPLETE LICENSE: Open Trojan with unlimited Builder license: $1,800 

Ice IX is offered at a lower price than what one would have paid for a comparative ZeuS kit or a SpyEye kit (SpyEye is still being sold for an approximate $4,000 USD today). According to earlier posts about Ice IX an open license to the first version v1.0.0 was sold for $1,500.

Upcoming Enhancements
In an English-speaking online forum, the trojan's developer gives potential buyers a glimpse into what will be included in the next upgrade:

  • HTML & JavaScript injections that will work on the Firefox browser.
  • A function that will block the SpyEye trojan on Ice IX-infected PCs (this sounds exactly like the 'Kill ZeuS' feature of SpyEye).
  • As with ZeuS, Ice IX will encrypt communication with the C&C server, using a different encryption algorithm to ZeuS.
Review of Ice IX by another Cybercrime Vendor
After the posting of Ice IX, another vendor selling HTML injections offered his stamp of approval of the Ice IX trojan. The new Ice IX buyer had some opinions on the injection mechanism of Ice IX:
  • JavaScript files are easily injected, and you can’t say that about ZeuS 
  • CSS files are successfully injected; it appears that Ice IX supports the use of Cascading Style Sheets in the process of integrating injected content into the original website's look and feel. This improvement steps-up the appearance of injected content and web page replicas. 
  • The order of data_before, data_after, data_inject blocks plays no role. The trojan understands them in any block order. When referring to data_before / data_after blocks, the fraudster is speaking of the delimitations that must be specified to a web injection.  For example:
    • Data_before: When a login set requires username, password and secret question, the data_before is all three sets
    • Data_inject: The additional data that the fraudster would like to inject into the page
    • Data_after: The lower limit field of the data the trojan looks for
In the ZeuS trojan's injection mechanism, these three blocks had to come in a specific order. Using Ice IX, the order no longer matters; the trojan understands what it has to locate and inject. This means that the new injections are more fail-tolerant than the way they were used in ZeuS. Other changes applied to the code also aim to facilitate ease of functionality, rendering Ice IX more tolerant in a sense, where the use of wildcards in URL names does not slow page loading and case-sensitive search terms could be incorporated into the data fields searched by the trojan.

Conclusion
So we can expect that from now on, more new banking malware will be based on ZeuS (and SpyEye) code. New malware developers, hoping to profit from cybercrime, will attempt to create their own new alternatives based on this source with the addition of incremental improvements over the older versions.

Follow @dodgy_coder

Subscribe to posts via RSS

Monday, August 22, 2011

Classifying Hacking in 4D: Impact, Illegality, Evilness and Complexity



This chart is an attempt to classify hacking events and methods with something more than the simple black, white and grey hat hacking classification. After looking through a number of different possible attributes, the ones I came up with were the following, each rated on a scale of 0 to 10.
  • IMPACT
    what sort of damage has been done to systems or to finances. a score of 0 means an improvement was made to the system due to the hack.
  • ILLEGALITY
    where on the legal scale does the event lie in the range of 100% legal to 100% illegal, or it might be a bit of a "grey area"?
  • EVILNESS
    yes, a bit subjective I know, but can we generalize that the motivation of the attacker is good, evil or maybe something in between?
  • COMPLEXITY
    how complex was the attack, is it a simple DDOS or an advanced threat like an online banking password stealing botnet?
Please note that this is just the first draft of the chart, and I've guesstimated the above data as best as I could. This is an attempt to see how the chart feels when classifying hacking methods.

Any comments would be most appreciated.

Follow @dodgy_coder

Subscribe to posts via RSS