Security BSides Athens 2016, Greece

250px

I am pleased to announce that the Information Security Research Group is a proud community supporter of the effort being put into organising the Security BSides Athens 2016 in Greece held on the Saturday, 25 June 2016.

More information about the event can be found at http://www.bsidesath.gr  and the Call For Presenters (http://www.bsidesath.gr/cfp_.php) has opened. Feel free to submit your talks by the 28 March 2016. The calls are open to everyone.

Don’t forget to follow the event on twitter @BsidesAth and make use of the following hashtags #BSidesAth or #BSidesAthens for your posts.

Posted in Computer Systems Security, Digital Forensics, Network Security, News Articles | Tagged , | Leave a comment

Stonesoft’s Evader 0.9.8.557 modifications for testing AETs against IPSs

Stonesoft’s Evader 0.9.8.557 (http://evader.stonesoft.com/) is a testing tool for Advanced Evasion Techniques. It includes a test framework for evasions that cover MS-RPC with Conficker and HTTP with phpBB viewtopic.php vulnerabilities.

We have played around with the automated attack system known as mongbat. An example of the is shown bellow. Mongbat will in turn call multiple evaders with the selected options (dont forget to consult the man pages and the online assistance provided).

root@evader:~# ruby mongbat.rb –mode=random –attack=conficker –iface=eth1 –victim=10.0.1.10 –validator=externals/conficker_validator.rb –attacker=10.0.0.4 –ips_per_worker=1000 –workers=50  –mask=16 –time=1200

The system will also produce a random seed and this can be used to replicate the attacks generated with the –randseed= option .

Something that was missing was the ability to turn off the obfuscate flag in evader. After a bit of hacking around I came up with the following changes to mongbat.rb and predator4_module.rb and introduced the flag –disable_obfuscate to mongbat.rb.

The proposed patches are as follows (code may not be fully shown but when copied it is all there):

for mongbat.rb:

--- mongbat.rb.bak    2012-08-02 10:48:26.000000000 +0100
+++ mongbat.rb    2012-09-05 11:51:18.000000000 +0100
@@ -91,6 +91,7 @@
 attack = $default_attack
 $recdir = nil
 $passthrough = nil
+$disable_obfuscate = nil
 $min_evasions = 1
 $max_evasions = 0
 $stop_on_success = false
@@ -122,6 +123,7 @@
   puts "\t--workers=<worker count, default 1>\t\tUse this many workers (and source IP addresses) to do the attacking"
   puts "\t--use_evasions=<evasion>(,evasion)*\t\tUse only these evasions"
   puts "\t--disable_evasions=<evasion>(,evasion)*\t\tDo not use these evasions"
+  puts "\t--disable_obfuscate\t\tDo not use obfuscation"
   puts "\t--check_victim=(true|false)\t\t\tCheck that victim allows legal traffic without evasions before attacking (default true)"
   puts "\t--record=<recdir>\t\t\t\tRecord the attacks to dirname in pcap format"
   puts "\t--min_evasions=<min evasions>\t\t\tMinimum evasions for random mode (default: #{$min_evasions})"
@@ -164,6 +166,8 @@
     use_evasions = $1.split(/,/)
   elsif arg =~ /^--disable_evasions=(.+)$/
     disable_evasions = $1.split(/,/)
+  elsif arg =~ /^--disable_obfuscate$/
+    $disable_obfuscate = 0 
   elsif arg =~ /^--check_victim=(true|false)$/
     # PORT_USAGE
     # controls how many ports will be used at max per attack
@@ -742,9 +746,10 @@
               code, explanation, result, cmd, recname = $predator4.server_attack(@attack_name, nc, evasion, 80, $recdir, 10, $driver_by_ip[attacker_ip], randseed, $passthrough)
             else
               if @attack.extra_options_by_name[ "bindport" ].nil?
-                code, explanation, result, cmd, recname = $predator4.attack(@attack_name, nc, evasion, port, nil, PORT_USAGE, $recdir, 300, randseed, $passthrough)
+               
+                code, explanation, result, cmd, recname = $predator4.attack(@attack_name, nc, evasion, port, nil, PORT_USAGE, $recdir, 300, randseed, $passthrough, $disable_obfuscate)
               else
-                code, explanation, result, cmd, recname = $predator4.attack(@attack_name, nc, evasion, port, attacker_shell_port, PORT_USAGE, $recdir, 300, randseed, $passthrough)
+                code, explanation, result, cmd, recname = $predator4.attack(@attack_name, nc, evasion, port, attacker_shell_port, PORT_USAGE, $recdir, 300, randseed, $passthrough, $disable_obfuscate)
               end
             end

and for the predator4_module.rb:

--- predator4_module.rb.bak    2012-08-02 10:42:23.000000000 +0100
+++ predator4_module.rb    2012-08-02 15:15:54.000000000 +0100
@@ -708,7 +708,7 @@
       p4serv.close
     end

-    def attack(attack, network_config, evasions, src_port, attacker_shell_port, port_usage, recdir, timeout, randseed = nil, passthrough = [])
+    def attack(attack, network_config, evasions, src_port, attacker_shell_port, port_usage, recdir, timeout, randseed = nil, passthrough = [], obfuscate_flag=nil)
       # test clean
       code, explanation, result, cmd = clean(attack, network_config, src_port, port_usage)
       if code != 0
@@ -717,11 +717,16 @@

       time = Time.new
       attack_src_port = src_port+port_usage-1
+      if obfuscate_flag.nil?
+        obfuscate_cmd = "--obfuscate"
+      else
+        obfuscate_cmd = ""
+      end

       if attacker_shell_port.nil?
-        cmd = "#{@binary} #{network_config} --autoclose --attack=#{attack} --src_port=#{attack_src_port} --verifydelay=200 --obfuscate"
+        cmd = "#{@binary} #{network_config} --autoclose --attack=#{attack} --src_port=#{attack_src_port} --verifydelay=500 #{obfuscate_cmd}"
       else
-        cmd = "#{@binary} #{network_config} --autoclose --attack=#{attack} --src_port=#{attack_src_port} --extra=bindport=#{attacker_shell_port} --verifydelay=200 --obfuscate"
+        cmd = "#{@binary} #{network_config} --autoclose --attack=#{attack} --src_port=#{attack_src_port} --extra=bindport=#{attacker_shell_port} --verifydelay=500 #{obfuscate_cmd}"
       end
       if not randseed.nil?
         cmd += " --randseed=#{randseed}"
Posted in Computer Systems Security, Network Security | Tagged , , , | Leave a comment

eduroam – avoid galmstudent AP (updated)

We have noticed that glamstudent authentication portal on the University’s wireless systems has an expired SSL certificate.

We have been advised by LCSS Helpdesk to make use of the new system known as eduroam.

Due to the fact that there is an expired certificate and it is not possible to ensured a secure connection we advise everyone to switch to the new system as soon as possible.

More details can be found at http://lcss.glam.ac.uk/is/using/ under eduroam.

N.B.: eduroam has a different way of authenticating.

Update(05/09/2012): the certificate has been renewed and glamstudent can still be used. I would say that it is still easier to make use of Eduroam as it is more seamless and does not need you to authenticate every time (unless you change your password).

 

Posted in Computer Security, Computer Systems Security, Network Security | Leave a comment

Spring(er) collection on Computer and Network Security

Spring collection… ? more like a collection of interesting books from Springer on Computer and Network Security.

Network Intrusion Detection and Prevention

http://www.springer.com/computer/security+and+cryptology/book/978-0-387-88770-8

Moving Target Defense

http://www.springer.com/computer/security+and+cryptology/book/978-1-4614-0976-2

Insider Threats in Cyber Security

http://www.springer.com/computer/security+and+cryptology/book/978-1-4419-7132-6

Spyware and Adware

http://www.springer.com/computer/security+and+cryptology/book/978-0-387-77740-5

Cyber Situational Awareness

http://www.springer.com/computer/security+and+cryptology/book/978-1-4419-0139-2

Identifying Malicious Code Through Reverse Engineering

http://www.springer.com/computer/security+and+cryptology/book/978-0-387-09824-1

 

Posted in Computer Security, Computer Systems Security, Network Security | Leave a comment

Hope it is not you!

If you see Trojan:Win32/Popureb.E or something called Popureb [1] in your Antivirus software then start making backups and look for your PCs restore CDs/DVDs to restore your system.

[1] – http://www.computerworld.com/s/article/9217953/Rootkit_infection_requires_Windows_reinstall_says_Microsoft?taxonomyId=85

Posted in Computer Systems Security, News Articles | Leave a comment

How serious and consequential any one failure would be?

Reading the article about Japan’s Nuclear reactors[1] and the issues the country is now facing because of a number of critical failures that occurred; with this post I would just like to point out how this, in a similar fashion, applies to computer security.

Bill says “As we learned in the global financial crisis as well, instruments and devices thought of as separate entities can all “go south” as the result of a single underlying cause, upending estimates of how serious and consequential any one failure would be.” [1]

Focusing on the all it takes is one failure, which in turn will kick things off, will or can lead you to a chain reaction of undesirable events occurring after that. Be that a specific vulnerability, a weak password etc being the failure point, if all possible matters are not looked at in depth, reviewed and addressed (e.g., penetration test) appropriately then information can go missing and systems will get compromised.

Many a times it is hard to explain to people what the consequences are when the failure does occur and how it will affect them in the long run. In this case with the nuclear power plants the consequences are quite dire for the population (short and long term). Whereas in the computing realm only unless the issues cross into the physical realm (e.g., lost work hours leading to lost revenue, products can not be delivered etc.) do people start to pay notice. Demonstrating the short sighted on look onto long term effects of possible consequences.

[1] – Japan Nuclear Accident: Worse than Worst, Again by BILL SWEET – http://spectrum.ieee.org/energywise/energy/nuclear/japan-nuclear-accident-worse-than-worst-again

Posted in Computer Systems Security, Network Security, News Articles | 2 Comments

Increase of Cyber attacks

Cyber attacks are on the increase. Not just because I say so, it is a fact [1,2,3]. Cyber criminals are turning to the virtual world and usually the figures demonstrate their success in doing so.

Some countries are even thinking of having their own operating system, ie India [4], as if that will block cyber attacks. It will slightly reduce the amount of automated attacks but it will only be a matter of time until these are also targeted.

 What we do need is an increase in user awareness and a better understanding of the security issues that we face every day. In the same way that we look left and right before crossing the road, we need to double check and double guess if a file is suspicious or not.

 Certainly an expected increase in salaries[5], in the USA, for IT Security Professionals is a step in the right direction.

Links Used:

[1] – Terrorist cyber attacks are a growing threat to the nation, says GCHQ chief – http://www.telegraph.co.uk/technology/internet/8060641/Terrorist-cyber-attacks-are-a-growing-threat-to-the-nation-says-GCHQ-chief.html  –

[2] – Australian military reveals 230% increase in cyber attacks in 2010 – http://www.computerweekly.com/Articles/2010/10/11/243285/Australian-military-reveals-230-increase-in-cyber-attacks-in.htm

[3] – Cyber attacks on utilities tipped to soar –  http://www.securecomputing.net.au/News/234954,cyber-attacks-on-utilities-tipped-to-soar.aspx

[4] – India Plans Indigenous Operating System to Thwart Cyber Attacks – http://it.tmcnet.com/topics/it/articles/108048-india-plans-indigenous-operating-system-thwart-cyber-attacks.htm

[5]- IT Salary Guide Shows Increase in Salaries for IT Security Professionals – http://www.securityweek.com/it-salary-guide-shows-increase-salaries-it-security-professionals

Posted in Computer Security, Computer Systems Security, Network Security, News Articles | 2 Comments

2x PhD Studentships in Cyberwarfare

The ISRG group has two PhD Studentships out, apply before the deadline on the 30 September 2010.

PhD Studentship – Awareness in a CNO Situational Environment
http://inform.glam.ac.uk/jobs/details/783/

PhD Studentship – Cyberwarfare Operations
http://inform.glam.ac.uk/jobs/details/784/

Posted in Computer Systems Security, Network Security | 1 Comment

Receive, store and read SMS messages on Jailbroken iPad 3G

Be warned: We can not be held responsible for any damages you commit to your devices. Proceed at your own risk.

I have managed to find the secret combination of AT commands [1] that will allow you to save an incoming message to the SIM card and then you can read it on the iPad.

You will need the following commands in order to receive SMS to the SIM card.

at
at+cmgf=1
at+cnmi=0,1,0,0,0
at+cpms=”SM”,”SM”,”SM”
at+cmgl=”ALL”

You can make use of the sendmodem [2] code to make life easier. You can use minicom too!

Example:
./sendmodem at
./sendmodem at+cmgf=1
./sendmodem at+cnmi=0,1,0,0,0
./sendmodem at+cpms=\”SM\”,\”SM\”,\”SM\”
./sendmodem at+cmgl=\”ALL\”

Known problems:
There is an awful time out issue. To start this process you will need to run ‘./sendmodem at’ until you get OK and then quickly send the rest of the commands. I have hacked away on the original sendmodem to include all the above commands in one executable. Will post it later on.

Also, once you have reached the maximum number of messages you will need to start deleting them. More information in later posts.

Enjoy!

Refs:

[1] – GSM AT Commands example (good ref really) –http://www.arcelect.com/GSM%20Developer%20Guide%20-%20GSM%20AT%20Commands%20-%20Rev%20%20A.pdf

[2] – sendmodem – http://code.google.com/p/iphone-elite/wiki/sendmodem

Posted in Computer Systems Security | Tagged , , , , , | 3 Comments

iPad and iTunes file recovery of Smart Recorder Files

This solution is only for Mac’s. Use the following information at your own risk.

If you have an iPad (I would imagine it is the same for iPhones) and you have recorded something with Smart Recorder (or Smart Recorder Lite) and the iPad has been synced with a system there is a way to successfully recover your audio recordings.

First find your backup location. This will be in /Users/[user_name]/Library/Application Support/MobileSync/Backup/ (replace the [user_name] with your account’s username) and in backup you will have a number of folders with semi-random names. These are your backups. Find the latest one and go to this directory in the Terminal (e.g, cd /Users/[user_name]/Library/Application Support/MobileSync/Backup/).

We will now use grep to find the header of the recordings: grep AIFFCOMM *

The output of the grep search will be the files you want to copy off into a new folder and you can rename them to .aif . These can be tested then with VLC.

You could probably find any other documents in a similar fashion (e.g. for PDFs: grep PDF * ).

Happy hunting.

Posted in Digital Forensics, Mobile Phones, PDA Forensics | 6 Comments