Raffy, Christoph and I put together our heads and in lightning speed we wrote up an article about DAVIX. The article gives an introduction to the information visualization process, the DAVIX toolset and features a sample analysis of checking network policy compliance using network flows captured with Argus and visualized with AfterGlow.

The special edition due to be released on October 16 comes with a multi-boot DVD with several live CDs. Apart from DAVIX there will be Avira Rescue, BackTrack 3, Damn Vulnerable Linux (DVL) and (R)ecovery (I)s (P)ossible on the disk. In particular DVL is a very interesting piece. It is a Linux distro containing as many vulnerable software packages as possible. If you are looking for a playground to train your skills or a simple way to get an environment for teaching security classes, this is it!

I very much anticipated Greg Conti’s and Erik Dean’s talk on binary visualization (PPT Slides). Their newest tools DanglyBytes allows for interactive analysis of binary data in multiple views. The different views decode data in multiple ways. There is a view that just prints the bit stream in a window while another decodes a series of bytes as RGB value. Their demo of a Windows error dump was a revelation: Using a slider on one of the views they could adjust the column width of the view. While moving the slider Google and Wikipedia images began to appear out of the noise. I am looking forward to play around with it myself.

Another interesting discovery at the Blackhat vendor area was the company Lookingglass with their software as a service (SaaS) called ScoutVision. They have built an infrastructure that stores Internet meta information in a database and provides its customers a client software to access and visualize this information remotely. For well paying customers they offer a service where clients can tie in their own IT data.

While preparing for the DAVIX Visualization Workshop in the CTF lounge, I saw a dude visualizing network traffic in Processing. I approached him and we started chatting about visualization. Interestingly he did neither know about secviz.org nor DAVIX. Over the course of DEFCON I found out that many people are toying around with visualization as well but there is no interaction between these people. This is definitively a thing that we should be working on over the upcoming months. I hope that DAVIX will help to contract people interested in security visualization.

On Sunday our DAVIX Visualization Workshop was on (Slides). During our introductory talk on DAVIX there were about 120 attendees. We were very surprised to see such an interest although many DEFCON participants have already gone home and it was during the last three hours of DEFCON. So there is definitively potential for future activities.

Additionally, Raffael Marty’s book Applied Security Visualization is now available in print. DAVIX was built with this particular book in mind. If you are looking for a methodology and not just a workable tool set, then the book is what you are looking for. The book covers all steps from the very basics to complete case studies and contains many hands-on examples. Therefore, the book together with DAVIX 1.0.1 is the perfect match for getting you started with security visualization. For a preview of the book’s content check out the rough cuts version.

All those eager to get their hands dirty immediately can find a description as well as the download links for the DAVIX ISO image on the DAVIX homepage. I wish you happy visualizing!

While playing around with visualization I found that there are lots of tools on the net but getting them to run can cause quite some headaches. So I thought that it would be cool to have an environment where all those tools are available ready to use. As time went by, the idea of a Linux live CD system materialized in my mind. Between Christmas and New Year, while watching 24C3 live streams in the background, I started playing around with SLAX, a modularized Slackware based live CD system. I found it very useful to my purpose and decided to start with it as base for the visualization live CD.

Since I knew that Raffael Marty was writing his book Applied Security Visualization, I contacted him in January 2008 and told him about my project and asked which tools should be included on the CD. Raffy was hooked by the idea from the get go and he asked me bluntly if I would do the CD for his book. Of course I agreed immediately. To get jump started with adding visualization tools, Raffy provided me with the chapter 9 of his books, which contains a list of visualization tools and instructions on how to get them running. At around the same time I got selected into the technical review board for Raffy’s book and I alternately reviewed chapters from Raffy’s awesome book and built the CD.

Since the live CD project was nameless at the time, I thought about an appropriate name for it. After toying with a couple of ideas I came up with the name DAVIX as a short form of Data Analysis and Visualization Linux®. I also liked the reference to the biblical figure David who fought against the giant Goliath. In terms of our project it means that with the “small” live system DAVIX you fight the gigantic heaps of log files and network captures.

DAVIX currently integrates about 180 software packages that contribute to about 40 high level tools for capturing, processing and visualizing data. The project is now in its final rounds of building and testing and will officially release during Greg Conti’s Blackhat and DEFCON talks. For all of you who want first hand experience with DAVIX, Raffy and I invite you to our DAVIX Visualization Workshop at DEFCON 16. The session will be held on Sunday, August 10th 2008 at 2 PM to 4 PM.

See you in Las Vegas!

On entering the building, everybody got an airport quality security check with x-ray and metal detector and we were asked to shutdown our mobile phones. Then I enjoyed the tour through this magnificent building with stops at the House of Commons and the Senate as well as the newly renovated library.

When the tour came to an end, the guide announced further points of interest. As one of her final sentences she said that stuff, which got confiscated during the security check, can be collect at the desk right next to the exit of the building. I found that pretty wired. What could that be? A magnum, a rifle, a bomb, a lighter, matches? Then I let my thoughts pass…

When I moved towards the exit I observed a young guy with dreadlocks and his girl friend in the process of collecting their confiscated goods: A secateurs and a handsaw!

So what kind of implications or additional benefits has Blog-Tagging? It is a way to increase your Google PageRank, which is obviously a good thing if you want to grow your audience. Since you most likely refer back to the blog which has Blog-Tagged you the original blog gets an additional backlink. When all your “victims” will do the same with your blog, you get an additional five backlinks. Since not everybody knows about Blog-Tagging, additional backlinks to explaining blogs or sites will occur.

Not being a killjoy, I will now give my five “confessions” :

• I wrote my first computer program when I was about 10 years old. At that time my father has bought a Commodore C64 and has taught himself BASIC. I sort of trailed the path and slipped naturally into computer technology. My first program was a series of block character graphics which told a little story about Alex the duck.
• You might remember those little albums in primary school days where you drew nice pictures and wrote rhymes and poems to your best friend’s album? There have been some in questionnaire style: “What is your dream job?” Well, my answers were: Computer Specialist or Astronaut.
• In 1992, when I still was an electronics technician apprentice, I got interested in Linux. A coworker showed me a report in the c’t magazine about this new operating system. I was hooked right away since I thought Windows sucks and playing on the company’s Ultrix and Solaris workstation was more geeky. Since there were no commercial Linux distros available at the time, we ordered QIC tapes from the operator of the Swiss academic network (SWITCH) with a copy of the Slackware Linux FTP mirror. We then copied the disk images to about forty 5 ¼ inch floppy disks and played disk jockey all night.
• I have been a radio amateur since 1993 and my call sign is HB9KOP. I was very active on packet radio and participated in building the local packet radio station HB9CC. Internet technology fascinated me at the time and I wanted to toy with it. Since Internet was too expensive in those days, the only way to do so was using TCP/IP over packet radio. That is how I got to know the Internet basics.
• I am a science fiction fan. My most favorite TV series are Babylon 5, Taken and The 4400. Currently my most favorite science fiction author is Michael Cordy. He wrote several page-turner thriller novels with biotechnology as the core theme. In his books he tries to envision the course of the world when mankind has reached a sufficient level in playing the genes for better and for worse. In my opinion his best books are Crime Zero and The Miracale Strain.

I will now nominate the next round of Blog-Tag “victims” – Drum roll - The winners are:

• Eric Ernst,
• Michael Steil,
• Sebastian Wolfgarten,
• Jeremiah Grossman,
• Michal Osmenda.

As we can see from the above screenshot the user can permanently enable access for a particular third party application. This prevents the warning dialog to be shown in future. If a user has accidentally permitted access or wants to know which applications have access to the Skype API, he or she can find a link called “Manage other programs’ access to Skype” in the section Privacy of the Skype Options dialog.

There he or she can view or modify the permissions for each individual third party application.

According to Bill Campbell’s article “Simple corporate security tip: disable Skype API and File Transfer“ there is a way to disable the Skype API using registry settings. The following registry key is officially documented in the Skype knowledgebase article 632. The policy prevents that any third party application can attach to the Skype API.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone]
“DisableApi”=dword:00000001

In- and outbound file transfers can also be disabled by a registry setting. This is documented in the Skype knowledgebase article 631:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone]
“DisableFileTransfer”=dword:00000001

After applying the file transfer policy, an error dialog is shown to the user when he or she wants to send a file from a protected client:

When sending a file to a policy protected Skype client the file transfer immediately aborts and the following error is shown:

I have verified both registry settings and they both work. In a corporate environment this allows administrators to lockdown Skype. But it requires that the user does not have administrative privileges. Otherwise the Trojan can remove these entries again. Administrators must further ensure that the registry ACL does not permit users to modify these registry keys.

As a preemptive measure I suggest that companies, who do not have Skype deployed, should also deploy the above registry settings to their workstations using Windows Group Policies. This prevents the two most dangerous use cases where employees place the Skype executable onto their system without permission. It should be noted that Skype does not require any special privileges to run. Being an ordinary user is just enough.

During the review of the Java API source code I discovered two vulnerabilities which cause the internal state of java.util.Random to be partially exposed or easy guessable. The paper Ruining Security with java.util.Random demonstrates two techniques how security mechanisms based on java.util.Random can be attacked and under certain conditions can be broken within seconds. Using these weaknesses an attacker can synchronize into the stream of random numbers and therefore calculate all future random numbers. For security relevant code java.util.Random should never be used. At least the Java class java.security.SecureRandom with the default constructor should be utilized. This provides much better security.

If you know about other vulnerabilities in the design of java.util.Random or you know about vulnerabilities in java.security.SecureRandom I would be happy to hear about it.

The biggest topics this year at Black Hat were VoIP security, Windows Vista security and all flavors of phishing attacks (Phishing, Vishing, SMiShing). As users grow aware of e-mail based phishing they are likely to fall victim to phishing originating from other communication channels. Although web application security has been top agenda for IT security professionals for years, the situation does not seem to improve but rather worsens: Cross-Site Scripting based worms and Intranet attacks are the new kids on the block. With the large adoption of the AJAX concept new opportunities for attacks will arise. Interesting are the new advances in attacking WLANs and Bluetooth devices. At the DEFCON talks reverse engineering and privacy issues were the main topics. Of course the fun factor with all the contests (CTF, warwalking, lock picking, beverage cooling) has its own charm.

Walter and I have put together a document with the latest IT security trends (5.2 MB) we have picked up at the conferences. Some pictures have been added to give you an impression of both events. See the Black Hat USA 2006 and the DEFCON 14 proceedings for further details.

One of these permitted binaries is often java.exe. Now the problem arises that once Java is enabled any Java application can be executed on the system. This allows a malicious user to execute arbitrary Java code, like replacement shells (JSH), RDP clients (Propero Java RDP) and network port scanners. I could block java.exe but business requires that the company’s Java application must still work. This lead me into this research on how to white list Java applications in a restricted Windows environment.

First of all Java has a mechanism called Java 2 Security which allows implementing policies based on code location or digital signatures. These policies are configured through the files java.policy and java.security. When java.exe gets executed these policies are not enforced by default. To enforce the restrictions the Java system property java.security.manager must included at the startup command line:

java.exe -Djava.security.manager MyCode

This property causes Java’s Security Manager to be installed and the policy to be enforced. So far so good. But how can I pass this parameter without having it to be specified on the command line? Well Java offers the environment variable _JAVA_OPTIONS. So I thought I place the parameter into a Windows system environment variable:

_JAVA_OPTIONS=-Djava.security.manager=

Testing revealed that java.exe can be executed with the Security Manager enabled without passing the parameter on the command line directly. Further testing revealed that when I start a cmd.exe as a low-privileged user I can overwrite this system environment variable and I can bypass the Java Security Manager using following command:

set _JAVA_OPTIONS=

I tried the same from within a Microsoft Word macro. The effect is the same. According to my research and feedback from Microsoft the system environment variables can always be overwritten within the process for the local process. In the paper Software Restriction Policies in Windows XP on page 13 in Chapter Analysis of Path Rule John Lambert writes:

Environment variables are not secure, and any user who can load a command prompt can temporarily redefine them.

So this melts down to my question: Is there a way to tell java.exe to always use the Java Security Manager without the possibility of manipulation by the user?

I would be very interested to learn your ideas. For those of you who want to play yourself I provide a ZIP archive with the files I used for testing. Please send your comments by mail to: jan.monsch ät iplosion.com. I will then write-up a post with the discussion results