Pages

What Programming Language Should I Use to Build a Startup?

Often entrepreneurs ask me 'What technology should I build my startup on?' There is no right or wrong answer to this question. It's a decision every company makes for itself, depending on what it's trying to build and the skills of its cofounders. Nonetheless, there are a few rules that one should adhere to. We discuss them in this blog post.

Incident Response Policy

What happens in your company when a production incident occurs? Usually in a typical startup, you will see engineers running around frantically trying to resolve the problem. However, as soon as the incident is resolved, they forget about it and go back to their usual business. A good incident response policy can help bring order into chaos. We provide a sample template in this blog post.

Why Software Deadlines Never Make Sense

We discuss why software deadlines usually don't make sense.

Analyzing Front-End Performance With Just a Browser

We discuss a number of freely available online tools which can be used to analyze bottlenecks in your website.

Why Smaller Businesses Can't Ignore Security and How They Can Achieve It On a Budget

In this article, we show that security is both important and achievable for smaller companies without breaking a bank.

Thursday, November 25, 2010

Summary of a "Remote binary planting talk" at DeepSec by Mitja Kosek by

===================
Remote binary planting talk
===================
This was given by Mitja Kolsek at DeepSec. Excellent overview of this vulnerability.


1998 - nsa windows nt security guidelines
2000 -georgi guninski : two office bugs
2001 - nimda uses dll spoofing for propagation
2006 - microsoft introduces safe search order
2008 - acros reports bp bugs to apple, google, microsoft, vmware

DLL search order
LoadLibrary("SomeLib.dll")
How about when LoadLibrary is called with a relative name?

Searches
1. Dir where app loaded
2. C:\Windows\System32
3. C:\Windows\System
4. C:\Windows
5. Current working directory (CWD)
6. System path; User path

Current working directory stands out. This is a dangerous location.
If permissions set correctly, first 4 locations malicious code can't be planted there.
But CWD can not only point to loc on local file system but also can point to remote share (e.g. on a server in China).


"Unsafe search order" before 2004, current working directory was in location #2.
Safe search order changed to put CWD in #5.


Causes for not finding DLLs in primary locations.
1. Programmer checks for local capabilities by trying to load a library
2. Some DLLs are present on OS1 but not OS2 (dwmapi.dll) - with visual studio
3. Custom/partial installs
4. Backward compatibility
5. Forward compatibility
6. Application written so that it finds its binaries in PATH.
7. OS porting (loading linuxlib.so.1. on Windows)
8. Wrong assumptions about installed components - media players assuming codecs are available on the system.
9. Incomplete uninstalls.
10. ....

Closed-source
3rd party components



3-step attack:

1. Plant a malicious DLL (eg remote windows share)
2. Somehow get vulnerable app on user's computer to set CWD to location of DLL
3. Wait


How to set working directory
1. Double clicking a file in explorer (in remote share) (automatically sets cwd of launched app to that location)
2. File open, File save dialogs
3. Some apps change CWD to last open/save
4. cmd.exe : cd command
....

8. Local priv escalation
9. Advanced binary planting attacks


Internal network attack... malicious.dll
Do your firewalls block SMB? Yes, but what about WEBDAV traffic?

\\hack.attacker.dom\Share --- sets up web server, enables WebDAV, sets up share on the server... Hi john checkout this document.

WebClient service.. on windows workstations. If SMB protocol doesnt reach that share, then WebClient is going to try WebDAV.

=> click twice on the webpage
wab.exe
Address Book


Double click VCF file \\192.168.0.133\demo\web32res.dll
Process Monitor - SysInternals


Binary Planting - Goes "EXE"



Searching for non-absolute exe.
CreateProcess("SomeApp.Exe").
Looks in CWD as #2 in the search path.


Q: did you try doing anything similar in Linux with shared objects?

Inspected 200+ Windows applications
At least one exploitable binary planting issue in almost every one!

Tool for detecting binary planting.

ACROS binary planting detector (DLL planting: 400+, exe planting 120+)
http://blog.acrossecurity.com/2010/09/opening-can-of-binary-planting-worms.html


http://blog.acrossecurity.com/2010/10/breaking-setdlldirectory-protection.html
~100 affected vendors at Secunia

Block outbound SMB, WebDAV traffic on corporate firewall.


www.binaryplanting.com/test.htm
- test your exposure to remote binary planting attacks

Sunday, November 14, 2010

Overcommitting

After last week's sprint, I realized I have a nasty habit of overcommitting.
On Wednesday afternoon, I spoke at SC magazine congress, on the topic of social engineering. The audience was very welcoming and really enjoyed my talk. It was also interesting to learn about some of the standardization efforts that people work on, such as MAEC (maec.mitre.org) to enumerate different types of malware, infecting people's computers, and SCAP (scap.nist.gov), a broad family of security specifications, the best known of which is probably CVE.
Having given my talk, I chatted to a few folks, and had to dart off towards Penn Station to hop on a train to Washington D.C. It was a gorgeous, sunny day, with temperature in the 60s (a rarity in November), so I wish I didn't have to spring and could instead take a leisurely walk. I arrived to Hyatt D.C., which was a great hotel. And the next morning I was off to AppSec DC. Here the talks were a lot more technical than at SC world congress. Again, I wish I had more time to walk around Washington but I didn't. I picked up a few interesting ideas on instituting secure coding in organization during AppSecDC. Will be interesting to see if they will work in an agile development environment.

Wednesday, November 3, 2010

Yesterday I spoke on exploiting weak random numbers at the OWASP NY/NJ chapter meeting. It's a repeat of my talk "Much ado about randomness" that I gave earlier on in "The Next Hope". The meeting was great and contained some interesting presentations.
Escaping the Sandbox, Stephen Ridley
Groundspeed, Felipe Moreno
Much Ado about Randomness, Aleksandr Yampolskiy
Memory Corruption, Exploitation, and You, Dino Dai Zovi

I've uploaded the slides right here: http://www.slideshare.net/yampolskiy/much-ado-about-randomness-what-is-really-a-random-number

Monday, November 1, 2010

Malware goes to the movies

This month, I will be giving a talk "Malware goes to the movies" in AppSec DC 2010 (Washington D.C., US) and DeepSec 2010 (Vienna, Austria) conferences.
More details are available at this link.
This talk will examine new types of malware that spread through online videos, music files, and images.

Typically, there are two ways an attacker can trick you to install malware on your computer through videos:
1) URLANDEXIT command
Most Windows media files (WMV, ASF, WMA, etc.) allow embedding of script commands to "enhance viewer's experience." Bad guys abuse one such command called URLANDEXIT that launches a specific webpage from your Media player. They will make the player pop up a "Codec missing" or "License missing" message box on your computer, and trick you into installing a malware masquerading as a plugin.

2) DRM functionality abuse.
The same idea as above is used except a Windows mechanism to retrieve software licenses is used to distribute the payload.

I've implemented a Python tool that allows you to scan video files on your HD for the presence of these abusive commands in the video and music files. It implements a simple pattern recognition for byte sequences of URLANDEXIT command, extracts the URL out of the file, and then uses Web of Trust API to check how trustworthy the webpage is.

The tool is still in alpha stages. But the source code is available right here: http://code.google.com/p/videosearcher/
There are two ways of using it:

1) To scan the file on the HD
$ python video_search.py -f VIRUS-VIDEO.AVI


Video searcher v1.0 Copyright Aleksandr Yampolskiy
Looking for malware in file: VIRUS-VIDEO.AVI
Opened file VIRUS-VIDEO.AVI
Positions of ['U', '\x00', 'R', '\x00', 'L', '\x00', 'A', '\x00', 'N', '\x00', 'D', '\x00', 'E', '\x00', 'X', '\x00', 'I', '\x00', 'T', '\x00'] and ['\x00', '\x00', '\x00', '6']
startPos = 1939
endPos = 2017
================================================================
The extracted URL: http://freaktorrents.info/locked/3
Checking reputation of url: http://freaktorrents.info/locked/3
(Trustworthiness, Reliability)= [5, 42]
Reliability is > 20, so I'll proceed

2) To scan the URL containing a torrent file.
The tool will start downloading the video specified in the torrent, and analyze the incoming stream of data on the fly.

$ python video_search.py -u http://dl7.torrentreactor.net/download.php?id=3204949&name=The.Ghost.Writer.2010.TS.MD.FRENCH.XviD-PiRAZ.avi

Video searcher v1.0 Copyright Aleksandr Yampolskiy
Looking for malware in url: http://dl7.torrentreactor.net/download.php?id=3204949
Downloading torrent information from http://dl7.torrentreactor.net/download.php?id=3204949
Downloading: 0.00% complete (down: 0.0 kb/s up: 0.1 kB/s peers: 0). Pieces [ ] None : -1