iplosion security

In 2005 I successfully completed the post-graduate diploma in Information Security at the Lucerne University of Applied Sciences. For my diploma thesis I developed a course concept for a Content and Mobile Security Lab for my employer Compass Security Network Computing AG. Apart from writing a concept paper I implemented parts of the course during the diploma thesis. At closing date we had to hold a 20 minute presentation on the thesis in front of a public audience and our lecturers. The germen version of the slides can be found here.

The three day course critically examines modern perimeter protection and threats to it from mobile technologies and current malware. On the first day we will be discussing USB, Bluetooth, wireless LAN as well as VPN vulnerabilities and attacks. The first part of the second day goes into malware and commercial software (GoToMyPC and Skype) which exhibits malware-like behaviors in terms of bypassing firewalls and inside-out tunneling. Deployment and hiding techniques of modern malware are discussed. In the second part of the second day we talk about how good current perimeter security solutions like virus scanners and content filters really are. Will show how security could be improved by implementing a zone concept in form of a graphical firewall. The third day deals with Citrix and Terminal Server security in B2B and for-your-eyes-only applications.

The course is now offered through the ISACA Switzerland Chapter to the public. Detailled German as well as English flyers are available for download for those of you who are interested in participating.

Administrators and security analysts are often faced with a situation where they have to check a executable for malware behavior. At the Compass Security Event in 2004 I gave a talk on Spyware Analysis. After an introduction on malware behavior snapshot-based and dynamic analysis methods are presented. Then an analysis process and a VMware based environment for analysing software behavior is discussed. The methods are demonstrated on three samples: Dashbar/Gator, iGetNet and Windows Update. For details see presentation.

Content filter software is quite common these days. But are they really worth their money? As one of my first assignments as security analyst in 2002 I conducted an analysis of the Finjan SurfinGate content filter. This is a product which is deployed as forward proxy to protect against malicious web traffic while the user browses the Internet. The results of the analysis have been quite disappointing since it proved that Finjan’s “sandbox” is actually a parser and that there are several ways to bypass protection.

In the end 7 vulnerabilities where registered with SecurityFocus and discovery credited to Compass Security:

• Active Content Filter Bypass Vulnerability
• HTML Filtering Weakness
  
• File Extension File Filter Circumvention Vulnerability
• Java Applet Analyzer Bypass Vulnerability
  
• Password Ciphering Weaknesses
• Compressed Archive File Filter Circumvention Vulnerability
  
• Unknown File Extension File Filter Circumvention Vulnerability

For a more detailed summary and the conducted test cases and procedures see the report.

As a preparation for the Finjan SurfinGate review in 2002 I analyzed which file formats potentially pose a security threat. I had a look at about 50 different file formats ranging from Microsoft Word documents to ZIP archives and documented which vulnerabilities where known at the time.

It turned out that the file parsers are often vulnerable to buffer overflow attacks and alike and therefore any decent file format potentially poses a threat. Additionally the mixture of data and code in a file format like JavaScript in HTML or macros in Office documents results in an explosive combination. Users are often not aware of this and can be tricked into viewing a file which leads to execution of embedded code. Another threat are all file formats which allow to embedded other files. Typical examples of course are ZIP archives and ISO images. But in Word documents files can be embedded. This shows that virus scanners and content filter are only as good as their capability to decode different file formats.

Although the analysis is a bit outdated it is still a good read. It shows that vulnerabilities experienced nowadays (2006) with Internet Explorer and Office document formats have already been anticipated in 2002. The German report can be downloaded here.