Infosanity's Blog

For those of us that are unable to attend BlackHat in person, the talk resources are now available online. Currently the video/recordings of the talks themselves aren’t uploaded but there are slideshows, whitepapers etc. available for each talk.

It’s a long list of good looking information, to the point I’m still struggling to decide what to look through first, and unlike looking through the line-ups of previus years there is very little that doesn’t spark my interest.

Get you fill of BlackHat material here

– Andrew Waite

Same story as my previous post on the event; I’m still trying to fully digest all of the information and ideas presented. Whilst I research further I thought I’d share some of the comments and soundbites (mostly paraphrased) a took a note of during the event, which are currently bouncing around my head.

(If any of the speakers feel these are mis-quoted or out of context, please let me know)

Reading back through my notes, I find it interesting that most of these could relate equally well to any form of IT-based service, feeding back into my original feeling that cloud computing isn’t especially new but is simply the evolution of other shared IT frameworks (main-frames, multi-user systems, etc.). Which brings me nicely to my first quote:

The ideas and technologies behind cloud computing aren’t new; it is the billing model that is innovative and creating opportunities.

Use multiple cloud providers to ensure tolerance to failure

Balance the cost of a failure against the cost of mitigating the risk

Run a business/service expecting failures to happen, and plan accordingly

Contractual SLAs are not insurance against failure

Security issues related to Cloud computing aren’t new or worse than security issues within traditional architectures, they’re just more visible

Traditional systems don’t scale well within a cloud architecure

Todays archicture and system components will evolve to be more efficient with a cloud based environment

The cost of failure is often the biggest cost of IT systems

Traditional licensing models for OS and applications needs to evolve to match the requirements of cloud based services

And finally, which was said with a wry smile:

Cloud computing is good news for consultants

– Andrew Waite

Tonight was the second CloudCamp event in the North East of England, and my first serious look at cloud computing. I really enjoyed the event and believe I recieved excellent value from attendence, so thanks to all those who helped run the event, presented and discussed aspects of the field with me during the breakout sessions.

My head is still spinning with new ideas and understanding as a result of the event so I’ll try to keep this brief and to act as a semi disclaimer for future postings regarding cloud computing.

Before the event my understanding of cloud computing was very cursory and I was very dubious of both it’s implementation and actual value to an organise. As such I attended the event in an effort to gain a greater insight into this new buzz word in service provisioning, either to join the bandwagon and take advantage of the Cloud’s potential, or to be able to better argue against adoption with a more reasoned argument than ‘I don’t like it’.

For this goal the event was perfect for my needs, as I know have a better understanding of what Cloud computing is (and isn’t) and have been able to answer some of my fundemental questions.

Short and sweet was the intention of this post so I’ll finish with a quote (paraphrased) from the event which has in some ways changed my outlook on Cloud computing, and more specifically the ability to secure a Cloud:

Security issues related to Cloud computing aren’t new or worse than security issues within traditional architectures, they’re just more visible.

– Andrew Waite

This months SuperMondays started of with the usual round of pre-event geek talk and networking. As a result I now definitely want to get myself down to Bletchley Park and I’m some-what gutted that I wasn’t aware of the Big Geek Day Out before it happened, sounds like those involved had a blast.

The event proper started off with an announcement from Mike at Orange Bus stating that they are currently hiring. If graphical work and web design is your thing give them a look.

The presentation proper was provided by John Colqulon, John introduced his project with Newcastle University aiming to provide aid to GPs and other medical practitioners to determine a patients risk to cardivascular problems. There are other applications that provide this level of support available, but this project goes one step further, by visualising the impact a mitigation and/or lifestyle change could have to that patients risk, using several underlying research models (who’s names I can’t remember, sorry)

I’ll admit that this wasn’t exactly my favourite of topics, but both John’s presentation and the debate raised in the questions section provided a good insight into the many different aspects that need to be considered to complete a complex IT system, from interface design to data protection issues. Although I personally struggle to understand the importance of using smiley faces to represent discrete mathematical figures, just not my field of expertise…

The second part to this month’s event was a first in SuperMondays history, no presentation just a group wide discussion of a selected topic, in this case encryption and ‘sharding’. Despite most people’s original understanding that isn’t a typo, sharding with a ‘d’. The concept is to break up meaningful files into smaller component parts (with each encrypted if the information warrents it) and scattering the shards to multiple locations. Theory is that if one location or server is compromised, the data it holds is useless without the other shards, or the blueprint information to rebuild the original file.

It certainly generated a lively discussion, with various weaknesses, trade-offs and mitigations being proposed and countered by differing group members, the wide array of different fields of expertise was within the attendees as different issues and factors where introduced from angles I had never considered. I enjoyed the format of the discussion and thought it worked well, although how well this was recieved if the topic was outside of your zone of interest and/or speciality I’m not sure. To counteract this it was proposed that it may be beneficial to move to a bar-camp type structure for similar setups to allow for multiple topics of discussion, allowing attendees to get involved in the topic that most interests them.

Rounding off the event was the announcement that Gavurin are also hiring (what credit crunch?), again if this is within your field and are looking for a new challange give them a look.

As usual, the event ended in the local pub for more highly geeky conversation over a drink, this time round I ended up in some interesting discussions on the legalities of accessing or operating an insecure wireless access point, support contracts for companies with (seriously) legacy systems and everyones ‘love’ of telco providers.

As I usually state, if you’re in the area and industry, and haven’t been to a SuperMondays gathering: Why Not? But it’s looking like this may get easier to attend, as SuperMondays is growing there are developments afoot to create an official not for profit organisation to take the group forward and to widen the location of events to across the North East, rather than just Newcastle itself.

See you all at the next event,

– Andrew Waite

P.S. thanks to David Coxon who beat be to a review of the event, and made it easier to find some of the links I wanted.

I’ve just complete work on a project I’ve had in mind for a while now, a warwalking case. As you can probably guess it involves fitting a war-drive rig (car excluded) inside a carryable case.

As I had one going spare I started off with a fairly standard CD carry case:

Case before modification - closed

Bit of fun with a hacksaw and foam later and theres an alcove for my external Alfa wireless card:

War Drive case with Alfa card

The grooves cut into the central partition create secure compartment for my Acer AA1, both in transit and whilst running, (not sure about cooling ventilation yet, still a work in progress):

War Drive case with AA1 running Kismet

Finally, a groove in the edge of the case allows for external access for the omni antenna and GPS reciever. Complete kit below:

Complete War Walk rig

Now it’s complete I’m not sure whether this kit will actually get used though. It looks a bit suspicious and is now commonly referred to as ‘the bomb’. Not sure I’m looking forward to explaining to an armed response unit that I’ve got nothing more dangerous in the case than an up to date Metasploit install.

– Andrew Waite

Several months ago I tried accessing a Cisco whitepaper (can’t remember which one or what topic) and was prompted to register for a prize draw. I was bored to so thought ‘what the hell’, couple minutes later I was done and forgot about it. Until the post turned up this morning!

I cracked the box open and found a rather shiny looking pen (see below):

Very shiny box for a pen, but it turns out that Cisco know geeks; the pen also includes a 1GB USB drive!

Cisco Pen Disassembled

And the perfect finishing touch? The end of the pen also includes a laser pointer, which has given me great enjoyment watching the dog chase and try to devour the red spot on the carpet. Thanks Cisco.

– Andrew Waite

<update-20091129>
Very grateful to Timmedin for pointing me in the direction of his recent work with the same issue. In usual form, Tim has even packaged up a powershell script to automate the workaround. Check his fix here, much cleaner and slicker than my own. If your still curious, read on for the backstory.
</update>

Since rebuilding part of my toolkit I’ve had issues connecting to my ESXi host server. I had originally thought this was a result of an upgrade from ESXi 3.5 to ESXi 4.0, and the resultant change from VMWare infrastructure client to the new vSphere client. After several hours and days fighting down a blind alley I found a forum post that highlighted Windows 7 as the culprit.

Further reading indicated that this is a widespread issue with no real solution. Best workaround appears to be to run the client within a sandbox via Microsoft’s Virtual XP environment for Windows 7.

After a couple of false starts the install process was fairly straightforward, found here. Simply select hardware architecture (32/64-bit), install a patch, then finally the Virtual XP image. Everything beyond this works as expected, a virtual XP machine. Once in the virtual environment install the vSphere client as normal to regain access your VMWare environment.

vSphere via virtualXP

Knowing my preferences, observant readers may be wondering why not achieve the same results using a VMWare guest with the vSphere client installed. VMWare Server is already installed on my machine, and was one of my initial thoughts. However, Virtual XP and VMWare utilise virtualisation for different results. The Virtual XP client has several intergration features (can be disabled if prefered) that allow simple, native access of resources on the host machine (files, directories, peripherals etc) from within the guest. This makes working with either, and between, host and guess seamless. Obviously such intergration would be unsuitable for a lab environment as you want/need isolation, seperation and protection from the guest machines so VMWare still has it’s place. As usual, using the right tool for the right job is essential.

At this point I’m back in my lab, and the R&D rolls on, but the experience has led me to look more indepth and Virtual PC. I have started building a BackTrack4 guest with Virtual PC to run within my standard machine for everyday use. Having access to a Linux environment as simply as a double-click as per normal applications will hopefully be a nice addition to my usual working practice.

<UPDATE> BT4 works fine, but the X GUI fails to start. Guess I’ll need to polish up on my commandline kung fu </UPDATE>

– Andrew Waite

I’m running behind the curve on this one, but after several of my usual sources suggesting KonBoot as a useful addition to any security toolkit. The premise of Kon-Boot is simple, by modifying the system kernel (Windows or Linux) upon boot there is no need to know the users password to access the system.

Kon-Boot is designed to boot via either floppy or CD, but thanks to the work of IronGeek it is relatively painless to get Kon-Boot running from USB.

Unetbootin continues to be a powerful tool, using which you create a bootable USB drive from the KonBoot floppy drive image. Raymond.cc has a great guide for the process, but ends with the limitation that KonBoot won’t function from USB; until IronGeek steps into the ring with a patch. Simply extract the archive to the root of the USB drive to update chain.c32 and syslinux.cfg then you’re good to go.

There are plenty of videos showing Kon-Boot in action, for example this one. I’ve successfully compromised a Windows 7 host, both local and domain acount, but it can only compromise domain accounts that have previously logged onto the physical machine. Discussing the issue with a Windows admin there have been a couple of potential mitigations developed, but at this point these have yet to be put to the test.

Linux compromise seems to be less powerful as you log in as a new kon-usr user, albeit with UID 0 for superuser privs. Full authentication doesn’t seem available however; the kon-usr drops in at the command line but KDE kicks up an authentication error when trying to start a GUI session.

I still intend to test my Kon-Boot drive against a machine with an encrypted hard drive, I’m not convinced it will work as my current hypothesis is that the Kon-Boot Kernel modifications will be attempted before the drive is unencrypted. I’ll update once I’ve been able to put the hypothesis to the test in a lab.

For the time being Kon-Boot is a permenant addition to my tool-kit, as there are plenty of scenarios that make KonBoot a legitimate tool for both security and non-security techies alike. Thanks to www.piotrbania.com for development and release.

– Andrew Waite

This post should be short and sweet as Dale beat me to the punch with an excellent write up of wardriving with BT4. Thanks to some back and forth advice, Dale’s hardware setup is also nearly identical to mine so I wont repeat anything he’s already published. But his post did push me to stop abandoning my wireless kit and update my tools.

The primary change is that I’m now running BT4, rather than BT3; still from a bootable USB drive created via Unetbootin. This provides easy access to the vastly updated Kismet Newcore, Mike Kershaw has done some wonderful work with this release. I’ve found Newcore to be vastly simpler to run than previous Kismet versions, primarily as you can now add additional source interfaces to the setup from the console client itself, rather than needing to modify the config files with some archaic black magic.

Also included within BT4′s toolset is Jabra’s excellent giskismet utility, this provides the same functionality (and more) as my previous kismet2gmapstatic attempts. Since I started development on my home brew tools I’ve had several people point me toward giskismet, wish they’d done so beforehand as it would have saved me some (now defunct) development time. I fully intend to go into more depth with giskismet’s capabilities in a seperate post once I’ve fully got to grips with it as my initial opinion is that this tool is great, so watch this space.

I’ve got the wireless bug again, so if you see a car with plenty of USB cables going through the passenger window be sure to say hi!

– Andrew Waite

Zero Wine is:

an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.

The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course). With this information, analyzing malware’s behavior turns out to be very easy.

Install was fairly simple as ZeroWine is distributed as a Qemu virtual image. Qemu, is downloaded here, and ZeroWine here.

To start the ZeroWine image I use the command (change filepaths to suit your install):

>qemu.exe c:\zerowine_vm\zerowine.img -no-kqemu -L . -redir tcp:8000::8000

Once running you can access the service by pointing a browser to localhost/8000 (the ‘-redir tcp:8000::8000′ parameter redirects the ZeroWine image’s port to your local system). This provides a simple web interface to upload and analyse your malware sample:

For a test run I uploaded the most recent sample collected by my Nepenthes honeypot, MD5 hash 3c9563dacd9afe8f2dbbe86d5d0d4c5e. The report generated shows the results of ZeroWines analysis, example below:The first section shows the behavioural analysis of the malware, this should be the most useful aspect of the ZeroWine framework. However as the ZeroWine page itself states, the output is ‘very long and, as so, hard to understand‘ and is unable to distinguish between system calls made by the malware and the underlying analysis framework. As a result I personally find the information provided by the report less useful than it could be.

There are definitely better sources for generating automated analysis of malware samples, for example VirusTotal or CWSandbox. However, depending on how the malware sample was obtained legal or business requirements may prevent you from releasing the sample to a third party, and not all provided services can provide the immediate response of a local system; meaning ZeroWine can still be a valid and useful tool in your arsenal.

Taking the concept forward, Jim Clausing recently released an excellent paper on setting up an automated malware environment with open source tools. I haven’t had a chance to try out any of Jim’s suggestions, but have read the paper and listened to the related podcast and the recommendations are definitely on my todo list to improve my malware analysis toolkit.

– Andrew Waite