Not moving at the rate I want to, but at least I am getting stuff done. So I have been working on a few things for the time being. Over the course of the past month I have been looking at how to read Linux Kernel Memory (eventually objects) from userland using Python. I have actually been looking at how to do this for Mac, as well. As always, when I have a basic design and concept down something comes up that distracts me.

As for the design, for the time being it is pretty simple. I took some code from the LDD3 Source Examples and created a concept where I pass in a control packet via a file read or write. The control packet looks something like this:

struct PKU_PKT {
unsigned long type;
unsigned long addr;
unsigned long buf_sz;
void* data;
};

Nothing fancy and it follows the same concept a rootkit. From here the packet is interpreted in the read function. Below is an excerpt from my read function:

ssize_t pkutil_read(struct file *filp, char __user *buf, size_t count, loff_t *f_pos){
struct PKU_PKT *pku_pkt = (struct PKU_PKT *) count;
int i = 0;
printk(KERN_CRIT "PKUTIL: Read a file.\n");

}

I interpret the packet from the count value, and I am not exactly sure why I did not use the buf value. I think it may have something to do with me flipping some of the fread parameters when I first started playing with this. That problem actually took me two or so weeks to track down. I have not implemented the Python aspect of it yet, but I was planning on using ctypes to start with. If I port this concept over to Mac, then I would need to look at either the base Mach or BSD APIs, simply because I do not know how the IOKit C++ stuff would work right off the bat. For the time being, this is just me twiddling bits to do some data analysis.

The other projects that I have been working on include adding Python Bindings to Nmap and looking at Sulley and Scapy and how to combine them effectively. For the Nmap Bindings I am basically using Swig, and I ran a few (seemingly) successful test runs on nbase and nsock, so I am now in the process of creating a Swig interface file for Nmap and compiling Nmap as a Shared Object. I am workin on Mac with this project, so it is a little bit of a learning curve but not much.

The combination of Sulley and Scapy is kind of interesting. I have several approaches planned contingent on how they work out. The first and simplest approach is to create a Scapy block, and the block would simply produce the Packet information as needed. However, this approach requires that I override some of the code in the session class. The class needs to be modified to use raw sockets and send data as is and not through the standard socket.send methods. I have only spent a few hours on this project, and most of the time was spent refactoring code, and fixing one or TODOs while I was under the hood. This project is kind of a slow start, and may not get far but it is interesting nonetheless.

As for the not-so vaporware, I went through and created some code that resolves hosts over Tor. Basically, I wanted to query a domain without out making it really obvious the requests are coming from one location, so I coded up a script to resolve names over Tor (actually Socks5). I started out using host, then it dawned on me that organizations may not like the fact that I am excessively querying their nameserver or indirectly through a misconfigured nameserver to get domain names. Of course, they may not even care.

When I first started out, I was using ‘host’ on random nameservers, but then I realized ‘tor-resolve’ would be more effective. As I began the multi-threading process, I found that Popen was a bottleneck and created a number of exceptions, because of the number of threads I was using. These issues led to performance impacts due to OS resource constraints. The next step was to cut out the bottleneck, and simply create a basic Socks5 name resolution function, which is faster tha starting up another process and performing the resolution. After that I went from about 700-900 resolutions per minute to about 1100-1700 name resolutions per minute, but the average was above 1000 resolutions per minute.

Being that its Python and if I wanted to go any faster, I could go to C. The only other optimizations I could think of would be to either add more hosts and/or use a class of pooled socket objects. The class would track which socket is being used and give an available socket object to connect with when a thread requests it. This class would eliminate a lot of the redundant socket instance construction/destruction, considering I am running about 512 sockets/connections per cycle. Anyway here is the prototype code, and it depends on what I on the perform_dig_whois stuff for name resolution over host (another feature of the script).

perform_dig_whois.py
quick_rlookup.py

So I have been keeping busy, and not keeping up with my blog. But, I have two additions.

First, for anyone who has used kenshoto’s EflReader from vtrace, if you haven’t noticed, it does not support MSB format for architectures like PPC. So I added it, and I fixed a small bug in the process. Here is the patch/diff file for those interested:
VDB Elf Reader Patch

Last week, I was also surfing some random websites, so I decided to take it to the next level. I spent all day hammering away on a script that goes from Web URL to Network Scanning ala Scapy. I wanted to take it to the next level, and use nmap with some packet foo, but I realized there were no Python bindings. So, that is on my list of things to do (: Any way, the script works by specifying a host file, which contains URLs, performs dig to get an IP, and then whois to get the net, and a subsequent set of IP addresses to be scanned. Optionally, the tool can be set to scan with scapy, or it can just dump out a list of IPs which can then be used in Nmap. Also, the script tracks which hosts have been scanned and the open ports. I have not fully tested it, but I think a saavy hacker can make it work. Here is the script, and I even added a user friendly interface too:
perform_dig_whois.py

This past weekend I had the opportunity to help some Boy Scouts get Computer Merit Badge through teaching a class. The class was fantastic, very interactive, and the audience was very cool. I was a little nervous before each class, but once I got started it was like my old school mentor skills kicked in.

The class gives Boy Scouts a fundamental in online safety, computer history, computer hardware and software, along with how files are stored. The class is packed into about two and a half hour slots, and the material can be intense for adults and the boys equally. There were alot of hacker questions that came up too, so it was cool to explain what I do. Its fun when they ask about hacking the Pentagon or NSA, because I get to throw out the sly look and say I can’t talk about that

I even learned something from the class, not to mention got some much needed review of my computing history and DSP background. I would definitely recommend others in the community to participate if they have an opportunity. The best part of the class is when some of the kids come back and say thanks. Good times.

I just got to this today, but it is more about insight than anything remarkable. The other day I was sitting around, staring at my 2Wire router from my service provider, and I realized the provided passwords never contained any letters. Today, I finally got around to looking at everything.

I found that the keys (wireless and system) were a 10 digit string. This means that the potential key space is 10^10 (10,000,000). My first question for the security engineers is why no letters, special characters,

So looking at this from an attacker standpoint, this would present this self as a challenge more or less if the access point is WPA or WPA2. So if an attacker can create a pre-computed dictionary using pyrit and the fact that 2wire hosts names are “2wire”+< 2-3 digits>, he suggested the key might be cracked in or around 115 days with 1000 connections per second. But there is also pre-computation time and space requirements for the 10 billion or so possibilities. We kicked around some ideas about reducing the key space, but it was only heuristical given the fact we are working with a sample of 1, which is myself.

Some open questions I had:

1. Can a relationship be drawn between the system key, the network key, or the mac address?

2. Are the digits random, or are they derived by xor’ing a common value to make them look random? I looked at the possibility of them being printable ascii, but when I combined two digits to form a decimal value for the ascii characters, they were not all printable.

3. Is there relationship between the number on the SSID and the derivation of keys? Meaning the random number on the end of the 2wire name are used to create the keys, or unobfuscate them to find a key value.

The questions are intended to help reduce the key space or quickly guess the default network or system password. Just some thoughts….

One of the main reasons I picked up Scapy is for the graphs. I have never been a visual guy, so Scapy is like magic when it comes to network mapping let alone network traffic manipulation. Well, I really liked Scapy’s basic graphing features, but when you have a large set of hosts to trace route, it gets annoying popping up the graphs with the black hole hosts. This gets true when the hosts paths to the target network. Another thing that I wanted is the ability to group endpoints.

It took me about a week along with other work to get everything down (note last weeks post), but I think I managed to get a basic implementation. I set it up so I can perform a number of individiual traceroute operations, and then drop them in a collector of sorts. Then when all the traceroutes are complete, then you can generate graphs with grouped endpoints and then the blackholes are ommitted. I borrowed some code from Philippe’s implementation of TracerouteResult.make_graph. There is alot of extra code in TracerouteCollector class because I was tried a few different ways of forming the graph. I eventually got so frustrated that I create a basic traceroute path string and parse that result. I attempted merging TracerouteResults as well as maintaining other stuff, but it got complex quick, which lead to more frustration.

Like I said in the end, I gave up on the native traceroute result object and built my own path string. Depending on whether the traceroute found the endpoint it ends up in a completed path or incompleted path bin. When I build the graph, I go through and group the results based on the path taken and the endpoint was reached. I also go through and enumerate all the ASNs. However, when nodes are grouped together, the ASN is based off the first IP address in the grouping. Otherwise, there will be extraneous nodes in the image. While I don’t do this, someone could just prune the ASN results, but I have another project that I need to start on, so I did not get around to that.
I also have code that will write the traceroute trace, the graph, and then read in a traceroute trace from file. This might be useful if you want to do something else or save the traceroute for use later.

The class is meant to augment Scapy functionality so you would include it along with your Scapy includes:
# from scapy.all is imported in the trace_route_combine module
from trace_route_combine import *
t = TracerouteCollection()
x = traceroute("172.16.28.140", maxttl=18, dport=80)
t.add_route(x[0])
x = traceroute("172.16.28.141", maxttl=18, dport=80)
t.add_route(x[0])
x = traceroute("172.16.28.142", maxttl=18, dport=80)
t.add_route(x[0])
x = traceroute("172.16.27.140", maxttl=18, dport=80)
t.add_route(x[0])
x = traceroute("172.16.26.140", maxttl=18, dport=80)
t.add_route(x[0])
x = traceroute("172.16.24.140", maxttl=18, dport=80)
t.add_route(x[0])
# now to create the graph
t.do_graph()
# or get the graph string
gs = t.build_graph()
# get paths to all the trace routed hosts
# x> is a down host and => is an up host
paths = t.get_paths_to_hosts()

As usual the code is open source and licensed under GPL. If you like it let me know, if you hate it let me know too. This is experimental but usable code.

Code: trace_route_combine.py

So, Monday I went to the bi-monthly HTA meeting, and I was talking to bitmonk, and we got on the topic of privacy and search engines. He said that he was listening to the radio one day and they mention 123people.com among some others. I went to the web site plugged in some information, and bam there it was plainer than day. Being a geek or nerd, I don’t have very much incriminating dirt on myself, but it was still very surreal to see all my information on there. My next thought was how do I crawl the site to look for interesting information on friends, which led to a subsequent thought about a Facebook plug-in. The plug-in would crawl all my friends, friends of friends … looking for interesting information in sites like 123people.com. I think that would be an awesome tool for building up a list of social engineering targets for performing social engineering engagements. Just a thought.

Other than that it was good to walk down memory lane in some odd respect.

Yesterday I was forced to take a break, and I came across an article pointed at this piece of legislation. Some of the intent is good, where Senator Cornyn and Rep. Lamar Smith want to prevent child pornography and other contraband from circulating on the internet. I don’t necessarily appreciate for “other purposes” part, but the focus of this post is on Section 5 (below). I must note I am also not a lawyer, and I do not know how courts or laws address very technical cases that violate contraband laws. But I am reminded of a case a few years ago, that was horribly misguided and did more injustice than delivered it [1,2]. These technical oversights by government put innocent people at risk, which is the purpose for this post.

SEC. 5. RETENTION OF RECORDS BY ELECTRONIC COMMUNICATION SERVICE PROVIDERS.

Section 2703 of title 18, United States Code, is amended by adding at the end the following:

`(h) Retention of Certain Records and Information- A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.’

This section/ amendment essentially makes it a requirement for every hot spot, free WiFi cafe, or open network to register people who use their network. There are other people who are adversely affected, but small business owners are at the forethought, because I also have a small business not to mention a home network which visitors use. Generally speaking, small businesses do not have this capability to register, monitor, and record every person who uses their network, let alone keep and maintain the data for an extended period of time.

As an engineer, I often weigh the benfits and risks of anything, and below are set of arguments/ideas/facts that I think this amendment does not consider:

1. These controls are difficult to maintain even for the most vetted and seasoned organizations and enterprises. Companies make a significant amount of money and/or organizations expend a large number of man-hours building, deploying, and maintaining systems to perform the tasks described in Section 5. Considerations must be made for confidentiality and non-repudiation of the users, protection of the generated data, and ensuring the data’s integrity, not to mention manageability and availability of the system. Building, deploying, and maintaining these types of systems requires constant effort and vigilance.
2. Given the data must be retained for two years, there is no consideration about keeping its integrity. If the integrity of the data is corrupted then it is useless from a legal standpoint and even a technical standpoint. For example, some one could tamper with the information and make the guilty person look innocent and the innocent person look guilty. This retention should also cause citizens greater concern. More information and data about an them is collected, and the likelihood of them being victims of identity theft increases significantly due to information disclosure or someone selling their information.
3. Law enforcement may or may not have the capability to sift through all this information, but it really comes down to trying to find a needle in a haystack. Even if they can put the person at the location, they have to prove that the person was doing evil and they have to prove all the traffic originated from the bad guys machine. In a probable scenario, the bad guy can steal an innocent persons network identity and use that to commit the crime. Now the innocent person can be implicated in the crime. Another viable attack is simply exploiting protocols to send and receive unregistered or covert to and from the internet. In this case, there is no real evidence that associates the bad guy to the traffic, except the circumstance that they were there at that particular time, and even still the bad guy could use an unattended device to transmit the data, leave, and then come back at a later time to pick the device up.
4. Bad guys can run their own email and internet services, which can elude law enforcement.
5. If the bad guys use encryption, it will be nearly impossible for law enforcement to even look at the traffic. This means the content of the traffic may not be discovered, and circumstantial relationships must be drawn between the contraband server and the bad user. The relationship might also break down if the user uses one or more proxy servers scattered throughout the internet. This means the bad guy does not make a direct connection to the server or service that has the contraband.
6. I mentioned earlier that there is are technical means to indirectly connect on host to another. One such project is the is The Onion Router (tor) Project. HD Moore developed a method to stop file sharing, and in-turn sharing of contraband, over tor [3,4], but this can again be circumvented by turning off javascript in the browser as described in [1].
7. As I mentioned in a previous argument, it is not difficult for a person(s) to adjust any addressing on their computer. They can simply adjust their MAC address each time they connect to the network, change their IP address manually, or steal (or borrow) credentials from someone else. While there are protocols and technical controls out in the public to prevent most of this activity, these solutions can be technically challenging for the average business owner and if they are done incorrectly, the net result is the same if it was done incorrectly.
8. My final point is the fact that this amendment creates and maintains an over abundance of information in the world about us. I do not subscribe to this universal collection just for the purpose of catching a few bad people. There is an incredible effort and requirement needed to protect this information, and I do not find it fair to place the burden on neighbors or small businesses to record every bit of data someone generates on their network, as this law could be used to do.

There are a number of other arguments and technologies that makes this type of data collection worthless. This amendment really does not solve the problem at hand nor does it make it easier to catch a criminal. I am not trying to degrade the politicians, their character or that thereof of their constituents, but there truly is a disconnect and a misunderstanding about the true technical, economic, and social impact of this amendment and its real affect on solving the problem. In reality, this legislation is bad and makes more problems for the wrong people than it hurts those who are doing the wrong. I am not OK with the bad guys doing their evil, but based on my technical knowledge, I object to the amendment because it adds more security, privacy, and economic concerns/problems than it really looks to solve.

So I wrote a letter:

Senator Cornyn,

I have reviewed your proposed amendment to Section 2703 of title 18 in the proposed legislation S 436, Section 5, and I believe this amendment will not make it possible to prevent the exploitation of children, and it will become a burden on small businesses and providers, as well as impede on civil liberties of the common citizen.

First off, I am an internet security professional, and I have identified at least 4 fallable assumptions that make this amendment moot and a burden. First, child pornographers can run their own servers, which means they do not need to use content providers to traffic information. Second, the data can be encrypted, so not even the internet service provider can read or monitor the traffic. Next, if a person so wishes anonymous access to the internet, they can visit a business offering free wifi, where they can anonymize there traffic in a number of technical ways. Finally, any person who accesses these small businesses may provide a false set of credentials to access the open network. In addition, the amendment will create an overabundance of information and data which may be invalidated in a court of law, due to improper storage and handling.

This amendment will only expend tax payers resources with little or no return. Please reconsider your support for this bill.

Respectfully,

Adam Pridgen, CISSP, M.S. Engineering

I leave the “other purposes” clause for someone else to debate.

Bibliography:
1. G. Craciun. “Malware Ruins Teacher’s Life Ever wondered how malware can endanger your life? (2009).” Softpedia [Online], Available: http://news.softpedia.com/news/Malware-Ruins-Teacher-039-s-Life-89763.shtml.
2. L. Beyerstien. “Connecticut Teacher Facing Jail for Porno Popups (2009).” The Huffington Post [Online], Available: http://www.huffingtonpost.com/lindsay-beyerstein/connecticut-teacher-facin_b_39384.html
3. R. Lemos, “Tor Hack Proposed to Catch Criminals (2009)”. Security Focus [Online]. Available, http://www.securityfocus.com/news/11447?ref=rss.
4. HD. Moor, Torment Project Code Repository (2009). Metasploit [Online], Avaliable, http://metasploit.com/svn/torment/trunk/.

*** Update ***
I was going back through and reviewing some of the Scapy slides, and I noticed that Philippe has already talk about and described how to do this stuff (e.g. the tcp-ping stuff). So I am adding a citation for his work [1].

Like every good hacker with nothing to do, I have my hand in someone elses cookie jar learning how to do something cool. This week I took some time to learn how-to use Scapy 2.0, and I wrote a script to perform a batch TCP Ping. I am sure someone will say in the back of their mind….”there is this tool called nmap.” I my response, yes I know and everyone uses that tool, I want to fly under the radar not into it. I am not saying what I did is guaranteeing I am not in that category, but its a step away from the crowd.

I wanted to control some of the data in the TCP segment (e.g. payload, sequence number, dport, sport, etc.), and I wanted something to tell me *waves hands in circles* if there was possibly an IPS or Firewall in my way that would be nice too. Basically, all this script does for the time being is takes a file to be expanded/reconned, and tcp-pings them with some randomized settings in the TCP Layer. Not novel and innovative, but a good learning exercise. There are a couple of other directions that I would like to take this, but for the time being, I figure I would share what I have and what I learned. This is for Scapy 2.0+, there was a major software change between the 2 releases. I am going to basically list the interesting parts of my code and explain what I am doing. I learn by example, and in this fast furious world of “teh netz”, I am sure others do too. I have been told my posts are a tad lengthy, so I will just hit the highlights.

I know there is logic that I can put in the script to make it a little smarter and faster, but for now, it can serve as a good tutorial for others.

Step 1. Importing Scapy into the script and silencing the verbosity:
from scapy.all import *
# default conf.verbose = 2
conf.verbose = 0

Step 2. Create my Tcp-Ping Packet and send it along the way

def tcp_ping_host(host, port=80, ppayload=None, to=1):
	# host is the ip-address string
	# sport is the dst-port to scan from
	# seq number is current seq number of the packet
	# if we want to mix it up and add arbtrary payloads
	# simply make ppayload into a string, or a RandString(size, chars)
	p = IP(dst=host)/TCP(dport=port, sport=RandShort(), seq=RandShort())
	if ppayload:
	  p.payload = str(ppayload)
	pOpen = False
	hIPS = False
	# send a single packet and wait for to*1 Seconds for a response
	a = sr1(p, timeout=to)
	#p.show2()
	# if the answer,a, is None, the host did not respond
	# if a is a response, and it is ICMP and type == 1
	# then the host is unreachable, port unreachable indicates
	# there may be a host there (UDP) type scan
	# a.haslayer(ICMP) checks if the packet  has an ICMP layer
	# a.getlayer(ICMP) gets the instance of the layer and then
	# the fields for that layer can be referenced, e.g.
	# a.getlayer(ICMP).type lets us access the type field
	if a is None:
		return a, False, False, False
	elif a.haslayer(ICMP) and a.getlayer(ICMP).code != 3\
		and a.getlayer(ICMP).type != 3:
		return a, False, False, False
	# 0x12 are the Syn-Ack in the flag fields of the TCP Segment
	pOpen = a.haslayer(TCP) and (a.getlayer(TCP).flags == 0x12)
	# try with a bad-sum
	# some IPS/IDS/Firewalls respond to all packets, so lets mix
	# it up and shoot a random/bad checksum at them
	# to do this we will take p and modify the chksum to be a random
	# short value and send it along (Idea was grabbed from nmap docs)
	t = p.getlayer(TCP)
	t.chksum = RandShort()
	b = sr1(p, timeout=to)
	# if we get a reply, its safe to say the host is FAIL
	# or its a security device.
	if not b is None:
		hIPS = True
	# fini.  hope it was as fun for you as it was for mw.
	# Spent all day in the coffee shop on this one, yay!
	return a, True, hIPS, pOpen

There is some other functionality hidden away in the script like scanning a set of ports randomly, scanning hosts in random order, resuming a scan (or adding hosts to a do not scan list, etc.), but I have not tested all that stuff, but its there. I also posted some code a few light years ago on OpenRCE about using Scapy. Anyway enough talk, time for bed. Hope this was helpful to some. Have a good weekend.

As always here is my code: scapy_tcpping.py

1. P. Biondi, “Network packet manipulation with Scapy (2009).” Scapy Site [Online]. Available, http://www.secdev.org/projects/scapy/.

Last Friday, I had the opportunity to introduce some aspects of software security and threat modeling to the UT Student Software Engineering Group, which included a mix of undergraduate and graduate students as well as faculty. The presentation format was more of an open discussion where I would answer questions as I spoke, and we would engage in conversation about the topic of the question. I enjoy this format, because the presentation evolves with the group, and not the presenter. The presentation is up on the site and located here.

During the course of the presentation, several interesting questions came up that I was not prepared to answer completely. Additionally, I feel it would be good to share the questions and my thoughts with others after I researched them. One question was about the economics of software security and whether or not the security integrated into the software development life cycle is worth the effort. Another question posed wanted to know if threat modeling and software security were effective in reducing vulnerabilities and other unwanted issues such as bugs. The final question was specific to software developers and things besides that can be done besides writing good code. There are a number of great references on the topic of software security, and my comments may only scratch the surface. If you want to learn more, I have provided some URLs and books I have used to get you started. As a starting point, I used a presentation given by Chris Peterson who presented on Microsoft Windows 7 Security at XCon put on by XFocus [1].

The first topic that came up during the presentation concerned metrics and how security helps improve the software engineering process. Additionally, there were questions about cost savings, specifically does security make the software engineering process more expensive. My answer to these questions depends.

First off, security is one ingredient to the software engineering process. If everything in the process is done correctly and security is integrated into it, as the SDL describes, the over time I see the cost of the software lower than the without security. Cost can be driven down in a number of ways. In 2002, RTI published a report about poor testing standards and the impact on the economy [2]. They published costs due to poor QA and testing and then potential savings. Given this fact, lets look at QA and testing. These are some of the hardest and most laborious tasks in the software engineering process, outside of the actual development. When tools such as threat modeling or fuzzing are employed these costs can be lowered. Threat modeling can be used to identify how the application will be used and abused (e.g., test cases and abuse cases) along with identifying more sensitive and critical areas in the software or areas in the software where automated testing can be performed. One inherent benefit is identifying and performing testing in areas that need it most, rather than testing the entire product equally.

Automated testing frameworks can also be developed or augmented to meet the automated testing needs of the project. From the TM, test patterns and cases can arise, and these can then be fed into the testing framework. This aspect helps save money because machine clock cycles are cheaper than human man-hours. Additionally, the framework and test patterns can be kept in a library for future use, so the fuzzing investment can be reused and even built into other projects. So in this case there may be a higher overhead due to threat modeling and automated security testing framework development, but there is also a potential savings over the life of the project, and other projects as well. As far as money or cost savings from these activities, I do not have figures. But a question did arise about the cost of a security breach, and I found a figure that was about $202 per record [3,4]. But there is no comparison or metric for money saved. There are other places where money can be saved like a streamlined patching process or reliability as a result of security, but for brevity we will continue on to the other questions that arose.

While my first issue infers better security is possible, it does not prove it with empirical data. The second discussion we had was about improved product security. Since Microsoft began using the SDL in 2002, they have seen a sharp decrease in the number of critical vulnerabilities in their operating systems [5]. The following figure is excerpted from H1 2008 Desktop OS Vendor Report.

Image From H1 2008 Desktop OS Vendor Report p. 13, Vulnerabilities By Product, Severity (Reduced Linux Configuration)

The figure shows vulnerabilities (critical, medium, and low) by OS, comparing Windows Vista, Windows XP SP2, Mac OS X, Ubuntu, and RHEL. The figure shows Windows Vista with much fewer vulnerabilities than other desktop platforms. Additionally, on Microsoft’s Malware Protection Center Site, there is a graph on page 15 of [6], which shows the infection rates of each of their operating system platforms with Microsoft Vista touting much less than most of the others. The only OS with fewer infections is Microsoft Server 2003 SP2, which could be for more than one reason:1) it has fewer deployments, 2) it is not used for everyday activities that expose it to threats seen by consumer desktops (e.g. no changes to default security settings), or 3) its more secure. Microsoft’s Vista OS is one of the flagship products for the SDL process. When Microsoft XP and Microsoft Vista are compared in vulnerabilities and infection rates, a conclusion can be drawn that a successful SDL can help build a successfully secure product.

Another issue that came up is the insider threat and how to model them, more specifically the byzantine user who has some motive to do harm. Insider threats are the most expensive and dangerous aspects of a security system. In these cases, threat modeling can help identify critical assets, data, systems, etc. and identify mitigation strategies. First of all the Principle of Least privilege should be used. This can help knock down most significant risks, because users are only privileged to do the role they fill. For example, a banking clerk should not be given administrative access to their host. Technical and human checks and balances (e.g. controls) should be integrated into architectures, designs, and implementations. The controls might require multiple authoritative personnel to sign-in and allow critical changes. The controls might come in the form of policy, but given a rogue user with ulterior motives may circumvent the system to meet their own objectives, so logging and review should also be heavily integrated into the system. As an example, any work a network engineer does should be checked by a peer to prevent malicious or catastrophic events. In one case, a major corporation was spared millions by a review of server management scripts [7]. However, their security policies should be heavily scrutinized and rewritten. There are as many ways to circumvent security issues as there are to mitigate them. TM will help assess the risk and help place a value of how much mitigation is necessary and where the mitigation needs to be employed to thwart these types of attackers. In any environment, Defense-in-Depth is key in ensuring overlapping security coverage and positive failure. Like software engineering, there is no silver bullet.

One final topic that came up in the presentation was technology. Specifically what else is there besides code security. On the developer side of the fence, there are a number of exercises that can be performed to ensure code security, which might include code analysis (e.g. static or dynamic analysis), code reviews, policies regarding unsafe APIs, input validation, code signing and obfuscation, etc from development up to deployment of the product. There are also technologies and policies that can be used to supplement code security when the software is in production. As I mentioned Defense-in-Depth is the key to a successful security plan. Technologies and policies need to be chosen to accommodate and secure software products. For example, when a product is RTM, all debugging symbols should be stripped and stack checking should be enabled to prevent arbitrary control from stack overflows. The deployment platform should be secure by default, meaning features such as DEP and memory randomization are enabled. Depending on the deployment scenario, other steps may be taken. If this is a large IT project, the systems involved can be reviewed for secure configuration guidelines, network technologies for logging and access control can be used, etc. There is an entire laundry list of things that can be done out side of the code level.

Security is all about engineering. There are a vast number of things that can be done to ensure a successful and product development cycle. I feel that a TM is the keystone of this success. It helps everyone understand the goals of the product, each component, leading up to identifying and understanding how to contain or handle threats. I equate threat models for software engineers to a battle plan for war fighters. The threat model provides insight into the security landscape, it helps flush out logistical and strategic details, and everyone should come out with an understanding of what they need to do to make the project a success. I could go on about this topic, because I love to discuss this and educate others about security. I have been doing this for a while, and I really do have much to share, but given this has all been said at one time or another, I will simply present some links of interest.

Links to OWASP regarding information and application security:
OWASP
OWASP Security Principles (for Developers and Designers) (not just for software folks)
OWASP How-to Articles

Microsoft SDL and Software Security Information:
Microsoft’s SDL Home Page
Microsoft’s Threat Modeling Tool
Microsoft’s Security Intelligence Reports and Malware Protection Group

Here are just a few books I have read or keep available in my library:
Coding Standards and SDL Practices
M. Howard and D. LeBlanc, Writing Secure Code, ed. 2. Redmond: Microsoft Press, 2003.
M. Howard and S. Lipner, The Security Development Lifecycle. Redmond: Microsoft Press, 2006.
G. McGraw, Software Security Building Security In. Upper Saddle River: Addison Wesley, 2006.
Software Testing and Assessment
G. McGraw and G. Hoglund, Exploiting Software How to Break Code. Boston: Addison Wesley, 2003.
M. Sutton, A. Green, and P. Amini, Fuzzing Brute Force Vulnerability Discovery. Upper Saddle River: Addison Wesley, 2007.
M. Down, J. McDonald, and J. Shuh, The Art of Software Security Assessment Identifying and Preventing Vulnerabilities. Upper Saddle River: Addison Wesley, 2007.

Bibliography:

1. C. Peterson. “Windows 7 Security Overview.” XCon2008 XFocus Information Security Conference. November, 2008.
2. RTI. “Planning Report 02-3: The Economic Impacts of Inadequate Infrastructure for Software Testing (2009).” NIST [Online], Available, http://www.nist.gov/director/prog-ofc/report02-3.pdf.
3. Walt. “Cost of a Security Breach (2009).” PCI DSS News and Information [Online]. Available, http://www.treasuryinstitute.org/blog/index.php?itemid=227.
4. “2008 Annual Study: Cost of a Data Breach (2009).” Ponemon Institute. [Online]. Available, http://www.encryptionreports.com/2008cdb.html.
5. J. Jones, H1 2008 Desktop OS Vendor Report (2009). Technet.com. Blogs.Technet.com [Online], Available, http://blogs.technet.com/security/attachment/3140955.ashx.
6. Microsoft Security Intelligence Report volume 5 (January – June 2008) (2009). Microsoft [Online]. Available, http://www.microsoft.com/downloads/details.aspx?FamilyId=B2984562-47A2-48FF-890C-EDBEB8A0764C.
7. K. Poulsen. “Fannie Mae Logic Bomb Would Have Caused Weeklong Shutdown (2009).” Wired [Online], Available, http://blog.wired.com/27bstroke6/2009/01/fannie.html

Yup, that time of year again. Yup, I am here. I talked to some folks (Props to Cammy and Lee (: ) and they mentioned that I should mirror my report from last years Shmoocon Applied Security Contest.

There are some applicable attacks and analysis techniques (: I will work on mirroring the AHA! page here next week after the Con. Happy hacking and if you’re at the con, maybe we’ll see each other (:

Here is the site:
Hack IT AHA! 2.0 Page
So here is the PDF: Hack IT 2.0