iplosion security

From a data mining and visualization perspective the conferences in Las Vegas offered a couple of highlights for me. First of all Raffy’s book Applied Security Visualization was finally launched and I had the first chance to see and hold the book with the DAVIX CD in my own hands at the bookseller booth. After hours of reviewing the book and building the live CD during the last eight months, it was a great relief that it was finally done.

I very much anticipated Greg Conti’s and Erik Dean’s talk on binary visualization (PPT Slides). Their newest tools DanglyBytes allows for interactive analysis of binary data in multiple views. The different views decode data in multiple ways. There is a view that just prints the bit stream in a window while another decodes a series of bytes as RGB value. Their demo of a Windows error dump was a revelation: Using a slider on one of the views they could adjust the column width of the view. While moving the slider Google and Wikipedia images began to appear out of the noise. I am looking forward to play around with it myself.

Another interesting discovery at the Blackhat vendor area was the company Lookingglass with their software as a service (SaaS) called ScoutVision. They have built an infrastructure that stores Internet meta information in a database and provides its customers a client software to access and visualize this information remotely. For well paying customers they offer a service where clients can tie in their own IT data.

While preparing for the DAVIX Visualization Workshop in the CTF lounge, I saw a dude visualizing network traffic in Processing. I approached him and we started chatting about visualization. Interestingly he did neither know about secviz.org nor DAVIX. Over the course of DEFCON I found out that many people are toying around with visualization as well but there is no interaction between these people. This is definitively a thing that we should be working on over the upcoming months. I hope that DAVIX will help to contract people interested in security visualization.

On Sunday our DAVIX Visualization Workshop was on (Slides). During our introductory talk on DAVIX there were about 120 attendees. We were very surprised to see such an interest although many DEFCON participants have already gone home and it was during the last three hours of DEFCON. So there is definitively potential for future activities.

Although it has been very quiet on this blog for quite a while, lots of activities in the background have been keeping me busy. During the last six months I have been working on my new pet project DAVIX that relates to my interest in security data mining and visualization. But let me start at the beginning.

While playing around with visualization I found that there are lots of tools on the net but getting them to run can cause quite some headaches. So I thought that it would be cool to have an environment where all those tools are available ready to use. As time went by, the idea of a Linux live CD system materialized in my mind. Between Christmas and New Year, while watching 24C3 live streams in the background, I started playing around with SLAX, a modularized Slackware based live CD system. I found it very useful to my purpose and decided to start with it as base for the visualization live CD.

Since I knew that Raffael Marty was writing his book Applied Security Visualization, I contacted him in January 2008 and told him about my project and asked which tools should be included on the CD. Raffy was hooked by the idea from the get go and he asked me bluntly if I would do the CD for his book. Of course I agreed immediately. To get jump started with adding visualization tools, Raffy provided me with the chapter 9 of his books, which contains a list of visualization tools and instructions on how to get them running. At around the same time I got selected into the technical review board for Raffy’s book and I alternately reviewed chapters from Raffy’s awesome book and built the CD.

Since the live CD project was nameless at the time, I thought about an appropriate name for it. After toying with a couple of ideas I came up with the name DAVIX as a short form of Data Analysis and Visualization Linux®. I also liked the reference to the biblical figure David who fought against the giant Goliath. In terms of our project it means that with the “small” live system DAVIX you fight the gigantic heaps of log files and network captures.

DAVIX currently integrates about 180 software packages that contribute to about 40 high level tools for capturing, processing and visualizing data. The project is now in its final rounds of building and testing and will officially release during Greg Conti’s Blackhat and DEFCON talks. For all of you who want first hand experience with DAVIX, Raffy and I invite you to our DAVIX Visualization Workshop at DEFCON 16. The session will be held on Sunday, August 10th 2008 at 2 PM to 4 PM.

See you in Las Vegas!

In January 2006, using fuzzing techniques, I discovered the HTML Parsing Vulnerability CVE 2006-1185 in Internet Explorer versions 5.01 to 6.0 SP2. I reported this bug to Microsoft by responsible disclosure which in turn has lead one of the fixes in April’s super Tuesday Internet Explorer cumulative patch MS06-013. But how did I get there?

The whole thing got started in December 2005 with a presentation Ilja van Sprundel held at the 22C3 in Berlin. Since I was working on a new course on content security I thought I will give it a try and play around with fuzzing. I took Michal Zalewski’s mangleme fuzzer, which was already used to identify the IFRAME vulnerability CVE 2004-1050, and modified it to cover all HTML tags which are supported by Internet Explorer.

Within a quarter of an hour I had my first reproducible sample which crashed Internet Explorer. Within the next couple of hours I found additional reproducible crashes. So what was I am going to do? Test Microsoft’s Incident Handling. So I took all the samples and sent them to secure@microsoft.com. After 2 weeks Microsoft confirmed that one of the repros was indeed doing more than crashing the browser. So I had found my first zero-day vulnerablity in a bulk product.

At Compass Security Event 2006 I held a talk on how I fuzzed the bug out of Internet Explorer and how Microsoft has responded to my report. Included was an introduction to fuzzing and a timeline of events from discovery until now. The slides can be found here.

Citrix MetaFrame and Terminal Server technology is often used as a component in protecting critical applications. The main feature is its capability for protocol conversion which allows access to an application by means of keyboard and screen output only.

One application of these technologies is their use in graphical firewalls for safely surfing the internet without the risk of infecting the user’s computer with malware. Another is to implement extranet access for employees and business partners. In all these scenarios the users are not granted full desktop access and can use particular applications only. But the restrictions are often implemented poorly and allow a malicious user to easily escape the context of the application and gain desktop access or in the end Intranet access.

At the Compass Security Event in 2005 I demonstrated how a malicious user can escape the context of the application using standard Windows short-cuts and using Office macro and copy-paste functionality to transfer arbitrary malicious software onto and binary data out of the terminal server. As a bonus I demonstrated the QRCode FTP utility I have written for my diploma thesis which allows transferring files out of the terminal server by animated 2D matrix codes. For more details see the slides which are available in German or English. A demonstration video of QRCode FTP is available for download as well (15 MB).

Forensic analysis in e-business applications is not a trivial task since it requires good preparation. At the Swiss Infosec Event in 2005 I held a high-level talk on this topic. On the basis of three real-life cases (Web-Site Defacement, Phishing and insufficient log content) I showed what can go wrong when web site owners are not prepared for an incident. The presentation leads to the conclusion that there should be centralized logging, unique identifiers to correlate log files accross application tiers and sufficient verbose log content to accomplish meaningful forensic results. The german version of the slides can be download here.

(more…)

In 2005 I successfully completed the post-graduate diploma in Information Security at the Lucerne University of Applied Sciences. For my diploma thesis I developed a course concept for a Content and Mobile Security Lab for my employer Compass Security Network Computing AG. Apart from writing a concept paper I implemented parts of the course during the diploma thesis. At closing date we had to hold a 20 minute presentation on the thesis in front of a public audience and our lecturers. The germen version of the slides can be found here.

The three day course critically examines modern perimeter protection and threats to it from mobile technologies and current malware. On the first day we will be discussing USB, Bluetooth, wireless LAN as well as VPN vulnerabilities and attacks. The first part of the second day goes into malware and commercial software (GoToMyPC and Skype) which exhibits malware-like behaviors in terms of bypassing firewalls and inside-out tunneling. Deployment and hiding techniques of modern malware are discussed. In the second part of the second day we talk about how good current perimeter security solutions like virus scanners and content filters really are. Will show how security could be improved by implementing a zone concept in form of a graphical firewall. The third day deals with Citrix and Terminal Server security in B2B and for-your-eyes-only applications.

The course is now offered through the ISACA Switzerland Chapter to the public. Detailled German as well as English flyers are available for download for those of you who are interested in participating.