Infosec Pals

PGP Desktop products (Pro/Home) provide a neat set of features for all your email encryption, file and disk encryption needs in one nice package but for a price. However there are open source alternatives that offer similar features, which are more than enough for home and small business users. PGP Desktop offers great set of features for Enterprise customers with server based management and recovery features, but these features are rarely needed in a small business or home environment. The tools presented here have existed for a while but even then the security and small business community seems to gravitate more towards PGP Desktop, this entry is merely a reflection to say that all the features of PGP Desktop are available for free and in open source if your willing to work with 3 well developed applications.

Public Key Email Encryption/Signing/Decryption/Key Management

Read more »

JavaScript (in cyrptic speak ECMAScript) worms are becoming increasingly common, so are advances in anti-detection. Heard of polymorphic (code changing) viruses the same concept has been observed in recent worms as well. Detecting polymorphic code is difficult and Gareth Heyes has a nice article on why it is a challenge in javascript. To prove his point he even has a polymorphic javascript code generator on his site.

To sum it up here is a piece of javascript ternary morphed using his tool:

alert(’JS morph XSS’);

eval(((0 < 4 ? ‘a’ : ‘JfwGL’)+(0 < 4 ? ‘l’ : ‘JfwGL’)+(0 < 4 ? ‘e’ : ‘JfwGL’)+(0 < 4 ? ‘r’ : ‘JfwGL’)+(0 < 4 ? ‘t’ : ‘JfwGL’)+(0 < 4 ? ‘(’ : ‘JfwGL’)+(0 < 4 ? ‘\” : ‘JfwGL’)+(0 < 4 ? ‘J’ : ‘JfwGL’)+(0 < 4 ? ‘S’ : ‘JfwGL’)+(0 < 4 ? ‘ ‘ : ‘JfwGL’)+(0 < 4 ? ‘m’ : ‘JfwGL’)+(0 < 4 ? ‘o’ : ‘JfwGL’)+(0 < 4 ? ‘r’ : ‘JfwGL’)+(0 < 4 ? ‘p’ : ‘JfwGL’)+(0 < 4 ? ‘h’ : ‘JfwGL’)+(0 < 4 ? ‘ ‘ : ‘JfwGL’)+(0 < 4 ? ‘X’ : ‘JfwGL’)+(0 < 4 ? ‘S’ : ‘JfwGL’)+(0 < 4 ? ‘S’ : ‘JfwGL’)+(0 < 4 ? ‘\” : ‘JfwGL’)+(0 < 4 ? ‘)’ : ‘JfwGL’)+(0 < 4 ? ‘;’ : ‘JfwGL’)))

Adobe recently launch of AIR, previously know as Apollo, a cross-platform framework to deploy flash style applications to the desktop and web. The new applications are called RIA’s - Rich Internet Applications. Every time there is a new web offering it is subject to security evaluations by many curious minds, AIR will be no exception. Adobe engineers have released a few resources on the security model of AIR, check them out at “AIR Security”

AIR defines logical containers called “application sandboxes” to limit what the AIR application can access, similar to cross-domain, cross-frame restrictions. Adobe for its part has documentation out to educate developers on do’s-dont’s for good security “Best Security Practices“, lets hope the the RIA developers heed to these. It’s always a classic in the security world to see functionality and first-to-market driving development cycles with security as after thought.

The AIR is out, let the analysis begin! for starters play with SandboxBridges

Setting up a parent-child sandbox relationship

AIR adds the sandboxRoot and documentRoot attributes to the HTML frame and iframe elements. These attributes let you treat application content as if it came from another domain:

Attribute	Description
sandboxRoot	The URL to use for determining the sandbox and domain in which to place the frame content. The file:, http:, or https: URL schemes must be used.
documentRoot	The URL from which to load the frame content. The file:, app:, or app-storage: URL schemes must be used.

The Center for Information Technology policy group at Princeton university published a finding in which they showed how simple it is to break “Encrypted Hard drives” using cold boot attack.

This attack as described in the paper is very simple and can be performed by an average guy. The attacks exploit the DRAM remanence effects to recover cryptographic keys held in memory. There is a good video posted by the group which includes a demonstration of how simple it is to break an encrypted system (when the system is up and running or in standby/hibernate mode) and it is worth watching.

Most corporations use Pointsec for full disk encryption. The researchers were successful in retrieving the encryption key for hard drives encrypted using BitLocker, FileVault, dm-crypt, and TrueCrypt. A possibility exists where Pointsec encrypted drives are also vulnerable.

What steps can corporations take to mitigate the risk ?

• Change the machine’s architecture: Find DRAM systems that lose their state quickly. This might not be feasible from a cost standpoint on existing machines.
• Prevent physical access to DRAM chips and modules: Tamper resistant hardware, does it exist ?
• Complete “shutdown” : Educate corporate users to completely “shudown” their laptops (instead of going in to hibernate / standby mode) while traveling etc.

Recently completed a write up on Unlicenced Mobile Access (UMA) and FemtoCell Security Concerns. It’s available online under the articles section, check it out.

I’m a bit late into the fuzzing game, and recently I was thrown to do few short projects that involved third-party server components. Though tools like sulley and spike produces good results, especially since you can fuzz in depth with several test cases, but if you are short on time and haven’t had a chance to learn to use them, TAOF (The art of fuzzing) is very handy. It’s a GUI fuzzer written in Python, portable to any platform. The tool, being a GUI, is one of those fuzzer that can just unwrap and run. TAOF works as MITM TCP network proxy, point the client to Taof and it forwards the traffic to the server/services in question. Set the fuzzing points, then select the signatures to inject for stack/heap overflows, string overflows, integer overflows, and dictionary attack. Literally Click-Point-Click.

TAOF, by default, may not be as robust as other fuzzers, but you can edit the python source for more signatures. The tool also stops fuzzing when it crashes the service. But that’s when you pull out the big boys like Sulley and Peach, where you can focus on interesting points for more in-depth analysis.

BTW, Peach 2.0 recently came out last November. It no longer require tester to write convoluted Python code. It runs by feeding a XML data definition, then let the Peach cook and create the data mutations.

Sipera recently announced its list of Top 5 VoIP Vulnerabilities in 2007. A similar more detailed list was also released “Top 9 VoIP Threats And Vulnerabilities” by CMP Channel. Sipera has provided some input to the article so they are essentially the same list with a few more thrown in to make the list Top 9. These VoIP vulnerabilities stated are nothing new and have existed and remain almost the same since VoIP hit mainstream, however its good to release a Top 10 list every year to keep reminding people that it still exists!!

Top 5
Remote eavesdropping
VoIP Hopping
Vishing (Caller ID spoof and identity theft)
Toll fraud
The Skype worm

Read more »

DIY Phishing kits make it easier for even novice fraudsters to setup phishing sites. These point and click tools have a few variables that need to be configured and a phisher is all set to send spam emails hoping unsuspecting users will follow to their fake financial sites. Some phishing sites also use malware installers like MPack, Zunker which run massive command and control networks. What’s interesting lately is that these phishing/botnet kits have been reported to contain backdoors that silently send all the victims information to the kit’s author. Well the economics of phishing makes it worth to do whatever it takes to get their most prized asset you PII - Personally Identifiable Information.

For some awesome foo on phishing the phishers checkout Nitesh and Billy’s talk at BlackHat Fedral ‘08. You’ll be surprised by what they have to say!!

Data leakage concerns have hit all time highs in 2007, a recent survey shows 71% of people fear a remote worker will lose their PII. Enterprises where quick to explorer Data Leakage Protection/Data Loss Prevention (DLP) products since 2003, however the software solutions where still being perfected then. These products seem to be have matured now and have hit main stream Enterprise deployments. Recently I had the opportunity to do security reviews on some of the products in the market. DLP products come in two flavors -
Read more »

Greetings to one and all…I’m back after a fantastic vacation to India. I was trying to look at interesting things to research about and I bumped across Hernan Ochoa’s blog and an interesting OllyDbg plugin called UHooker (i.e., Universal Hooker). The UHooker is basically a plugin that can allow testers to hook into functions. I used UHooker to effectively fuzz the input to Google Talk by hooking into ws_32.send method and the results seemed interesting initially. The great part is it’s written in Python. There are a few libraries required to get it running effectively, for example, PyWin32 available from sourceforge is one of the libraries required for Python to understand the plugins. Just place the files i.e., proxy.py, server.py, *.cfg, uhooker.dll in the same directory as OllyDbg.exe and you should be able to use the UHooker plugin. The best script that I thought was good from Pen testing perspective was the tcpnet.py that allows you to use Hex Workshop as a TCP proxy that can be used just as other HTTP proxies such as Paros, Burp, WebScarab etc can be used.