Hack.lu 2007: How Can Defense-in-depth Unleash Hell
30 Oct 2007 10:40 AM / Filed in: I.T.
A friend sent me the following URL which illustrates an "old" trick for bypassing AV detection:
http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/
This reminds me that I wanted to give you a small account of The Death Of Defense In Depth? Revisiting AV Software, an excellent presentation performed by Thierry Zoller and Sergio Alvarez during the hack.lu 2007 security conference which I attended. Note that I'll be giving a full account of the conference during the SUR group meeting next december. The account will be co-presented by my colleague and friend Jérôme Léonard a.k.a. Mitch. I'll put the slides online after the meeting.
Thierry and Sergio have demonstrated how the Defense-in-depth principle is badly implemented to/by AV software. Generally, you tend to multiply AV software between the Wild Wild Internet and your desktop. So you have one AV on the mail gateway, another one at the mailbox server and yet another one on the desktop etc. Well, you get the "depth" part of the defense. However, Thierry and Sergio argued that this significantly increases your exposure to vulnerabilities because AV software is not developed following secure development guidelines and their attack surface is huge (think of how many file formats they need to parse). They showed how, by exploiting a parsing bug, they could bypass a tremendous number of different AV.
Another simple example demonstrated how by adding a string to a PE file (Hello Luxembourg in this case) bypasses the AV. In yet another example, Thierry simply changed the contents of the version field of a ZIP archive and this confused a truckload of AV. In the meantime, Winzip could still open the archive without breaking a sweat.
According to the speakers, one of the main problems of AV software is that they tend to consider what they cannot parse as being safe. It is rather a weird implementation of the Defense-in-depth principle. To their knowledge, only Kaspersky blocks what it cannot parse successfully.
As a result, Thierry discovered more than 800 ways for bypassing AV! And Sergio discovered 80 vulnerabilities out of which only 30 have been patched. At times, Sergio saw the vulnerability patched silently without giving him due credit for reporting it first...
They have also shown some funny responses they got from the AV vendors to their vulnerability reports. In one case, Thierry sent a malicious RAR archive that bypasses Symantec AV. Symantec responded by saying that the archive is not properly constructed ... If only they have opened it with WinRAR and not with their own parsing engine they would realize the problem!
Last but not least, Sergio showed a 0-day in eTrust exploiting a heap overflow. The same exploit worked on Windows XP, 2003 and ASLR-enabled Vista (According to Wikipedia, Microsoft Windows Vista has ASLR enabled by default, although only for executables which are specifically linked to be ASLR enabled so maybe eTrust is not linked to it)!
Thierry and Sergio nicely summed up their presentation by saying that "the more you protect yourself, the more you are vulnerable". Give some alternative thinking to this.
http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/
This reminds me that I wanted to give you a small account of The Death Of Defense In Depth? Revisiting AV Software, an excellent presentation performed by Thierry Zoller and Sergio Alvarez during the hack.lu 2007 security conference which I attended. Note that I'll be giving a full account of the conference during the SUR group meeting next december. The account will be co-presented by my colleague and friend Jérôme Léonard a.k.a. Mitch. I'll put the slides online after the meeting.
Thierry and Sergio have demonstrated how the Defense-in-depth principle is badly implemented to/by AV software. Generally, you tend to multiply AV software between the Wild Wild Internet and your desktop. So you have one AV on the mail gateway, another one at the mailbox server and yet another one on the desktop etc. Well, you get the "depth" part of the defense. However, Thierry and Sergio argued that this significantly increases your exposure to vulnerabilities because AV software is not developed following secure development guidelines and their attack surface is huge (think of how many file formats they need to parse). They showed how, by exploiting a parsing bug, they could bypass a tremendous number of different AV.
Another simple example demonstrated how by adding a string to a PE file (Hello Luxembourg in this case) bypasses the AV. In yet another example, Thierry simply changed the contents of the version field of a ZIP archive and this confused a truckload of AV. In the meantime, Winzip could still open the archive without breaking a sweat.
According to the speakers, one of the main problems of AV software is that they tend to consider what they cannot parse as being safe. It is rather a weird implementation of the Defense-in-depth principle. To their knowledge, only Kaspersky blocks what it cannot parse successfully.
As a result, Thierry discovered more than 800 ways for bypassing AV! And Sergio discovered 80 vulnerabilities out of which only 30 have been patched. At times, Sergio saw the vulnerability patched silently without giving him due credit for reporting it first...
They have also shown some funny responses they got from the AV vendors to their vulnerability reports. In one case, Thierry sent a malicious RAR archive that bypasses Symantec AV. Symantec responded by saying that the archive is not properly constructed ... If only they have opened it with WinRAR and not with their own parsing engine they would realize the problem!
Last but not least, Sergio showed a 0-day in eTrust exploiting a heap overflow. The same exploit worked on Windows XP, 2003 and ASLR-enabled Vista (According to Wikipedia, Microsoft Windows Vista has ASLR enabled by default, although only for executables which are specifically linked to be ASLR enabled so maybe eTrust is not linked to it)!
Thierry and Sergio nicely summed up their presentation by saying that "the more you protect yourself, the more you are vulnerable". Give some alternative thinking to this.
|
Paris Restaurants: La Tour De Montlhéry - Chez Denise
29 Oct 2007 03:45 PM / Filed in: Cuisine
La Tour de Montlhéry - Chez Denise is one of the best traditional French cuisine restaurants I know of. Located in Les Halles, they serve gorgeous and generous meals day and night, almost non-stop (they are open until 5:00 AM!). When you enter the restaurant, you feel like you are traveling back at a time when tables were big and shared among guests. The decoration dates back to some decades earlier but this only adds more charm to the place. The waiters are seasoned professionals with a good dose of humor. Founded by Denise some thirty years ago, it holds the flame of Les Halles' old spirit pretty high. The meals are pricey if you are on a budget though. Expect to pay around 24 EUR for the main course. But if you put meal quality high up, the food absolutely worths it.
I am used to go there once or twice a month. Maybe we'll meet there one day ;-)
AFAIK they are closed the week-end but don't take my word for this, better double-check:
La Tour de Montlhéry - Chez Denise
5, rue des Prouvaires 75001 Paris
+33 1 42 36 21 82
I am used to go there once or twice a month. Maybe we'll meet there one day ;-)
AFAIK they are closed the week-end but don't take my word for this, better double-check:
La Tour de Montlhéry - Chez Denise
5, rue des Prouvaires 75001 Paris
+33 1 42 36 21 82
Security Trade-offs By Example: When CAPTCHAs Drive Your Users Nuts!
29 Oct 2007 11:31 AM / Filed in: I.T.
I.T. security is all about trade-offs. And sound trade-offs mean you have a good balance between your security strategy and your business posture. Making sound trade-offs mean that you have an idea of the threats and risks (at least perceived ones) you are facing. Betabug pointed me to a wonderful collection of crazy CAPTCHAs. Some of those have very questionable content but most are either unreadable even with a truckload of good will or require lots of mind wrestling to get right. What are the goals of the designers? Prevent SPAM or account abuse while completely disgusting their users? Sure! No users, no SPAM/abuse. If I was an attacker, why the hell would I want to 0wn your assets without a good motivation? If you turn off your users, there's a good chance you turn me off too! What's the trade-off? Turning something that was designed to distinguish between humans and computers into something that put everyone in the same bag: the exclusion one.
Just one more example of bad security...
Just one more example of bad security...
Reggae Song Review: Fire Go Come by Corey Harris [5/5]
28 Oct 2007 04:11 PM / Filed in: Music
[Reggae] Fire Go Come by Corey Harris
From the album Zion Crossroads.
Fire Go Come is a wonderful Roots Reggae tune. I've known Corey Harris as a very interesting Bluesman and I was very pleased when I listened to Zion Crossroads, a pure Reggae record respecting all the "standards" of this genre. There are many very good Roots Reggae songs such as Sweatshop, Afrique (Chez Moi), Cleanliness and Plantation Town (which has a very interesting Bluesy tone). Corey Harris ventures also in the grounds of Dancehall (You Never Know, Heathen Rage) with great success. But Fire Go Come has just the right mix of politically engaged lyrics, riddim, and outstanding vocals that carry on the emotion you can feel through the lyrics. There is also a brilliant guitar riff thrown in the middle. Fire Go Come Real Soon! It sure is 'mon!
Meta information:
From the album Zion Crossroads.
Fire Go Come is a wonderful Roots Reggae tune. I've known Corey Harris as a very interesting Bluesman and I was very pleased when I listened to Zion Crossroads, a pure Reggae record respecting all the "standards" of this genre. There are many very good Roots Reggae songs such as Sweatshop, Afrique (Chez Moi), Cleanliness and Plantation Town (which has a very interesting Bluesy tone). Corey Harris ventures also in the grounds of Dancehall (You Never Know, Heathen Rage) with great success. But Fire Go Come has just the right mix of politically engaged lyrics, riddim, and outstanding vocals that carry on the emotion you can feel through the lyrics. There is also a brilliant guitar riff thrown in the middle. Fire Go Come Real Soon! It sure is 'mon!
Meta information:
- Rating: 5/5
- Label: Telarc
- Release year: 2007
- Related Artists: Tiken Jah Fakoly, Bob Marley, Winston McAnuff, Sylford Walker
Hip-Hop Song Review: Say Something by Talib Kweli [5/5]
28 Oct 2007 12:19 PM / Filed in: Music
[Hip-Hop] Say Something by Talib Kweli (Explicit Lyrics)
From the album Eardrum.
If you have been following my Music posts for sometime, you know that I have eclectic musical tastes. And I listen quite often to Hip-Hop Music. Thanks (again!) to my brother Aziz, I became a fan of this genre back in the late 80s when Aziz come home (he was already in the U.S. at that time) for a visit and brought with him a truckload of CDs (a rarity then in Morocco) and tapes. Run DMC, KRS-One, and Eazy E were among my favorite. I enjoy a handful of Gangsta style records such as 50 cent's Guess Who's Back?, Snoop Doggy Dogg's Doggystyle, and Public Enemy albums (which I don't really define as Gangsta). But there's nothing better IMHO than old-school Hip-Hop. And Say Something is one of the best old-school Hip-Hop songs I've listened to lately. Talib Kweli has a very nice voice and a awesome flow. And the rhythm is simply incredible. It pushes the adrenaline quite high and make you want to start dancing without ever feeling it. This is exactly what happened to me the first time I listened to it. It was about 6 days ago. I was getting dinner with my elder daughter and all of a sudden, I jumped out of my chair and started dancing. It brought back memories long forgotten of the time I used to practice Break-dancing with some neighbours down the street in Casablanca. Cheerful, my daughter also got out of her chair and starting mimicking my rather bad dance moves ;-)
Anyways, if you like old-school Hip-Hop and solid artistic skills, Talib Kweli iz da man!
Meta information:
Extra links :
From the album Eardrum.
If you have been following my Music posts for sometime, you know that I have eclectic musical tastes. And I listen quite often to Hip-Hop Music. Thanks (again!) to my brother Aziz, I became a fan of this genre back in the late 80s when Aziz come home (he was already in the U.S. at that time) for a visit and brought with him a truckload of CDs (a rarity then in Morocco) and tapes. Run DMC, KRS-One, and Eazy E were among my favorite. I enjoy a handful of Gangsta style records such as 50 cent's Guess Who's Back?, Snoop Doggy Dogg's Doggystyle, and Public Enemy albums (which I don't really define as Gangsta). But there's nothing better IMHO than old-school Hip-Hop. And Say Something is one of the best old-school Hip-Hop songs I've listened to lately. Talib Kweli has a very nice voice and a awesome flow. And the rhythm is simply incredible. It pushes the adrenaline quite high and make you want to start dancing without ever feeling it. This is exactly what happened to me the first time I listened to it. It was about 6 days ago. I was getting dinner with my elder daughter and all of a sudden, I jumped out of my chair and started dancing. It brought back memories long forgotten of the time I used to practice Break-dancing with some neighbours down the street in Casablanca. Cheerful, my daughter also got out of her chair and starting mimicking my rather bad dance moves ;-)
Anyways, if you like old-school Hip-Hop and solid artistic skills, Talib Kweli iz da man!
Meta information:
- Rating: 5/5
- Label: Blacksmith Records
- Release year: 2007
- Related Artists: Common, MF Doom, Hi-Tek
Extra links :
- Music sample @youtube
- Talib Kweli's Official Website
- Say Something Lyrics
Alternative Thinking
28 Oct 2007 11:04 AM / Filed in: I.T.
Reading John And John #619 (warning, very crude/explicit content ... you've been warned) reminded me of one of the key skills that hackers have and which is very important for security practitioners to acquire or at least fully understand. It's their ability to think "out of the box". What I call "Alternative Thinking" or as the Perl motto goes: there's more than one way to do it. The John And John #619 is a perfect illustration of this skill. One of the Johns has simply found out a new -disgusting but very effective- way for checking whether a seemingly dead person is really dead or not. No "normal", "socially behaving" person would think or do something like that. But it works! And this is what counts at the end.
When you are setting up your security architecture, what are you protecting against? Perceived (as opposed to real) risk? Known (as opposed to unknown) threats? Or are you just throwing together a bunch of security products (remember that security is a process right?) according to some "best" practices and hoping for the best? I don't believe that you can defend efficiently something that you don't fully understand. Without complete understanding of the e-commerce application the developers throw in your hands for protection, you won't be able to practice "Alternative Thinking" and come up with sound attack scenarios and misuse cases. And you won't make the right trade-offs for balancing security and business objectives.
Give this some "Alternative Thinking" time.
When you are setting up your security architecture, what are you protecting against? Perceived (as opposed to real) risk? Known (as opposed to unknown) threats? Or are you just throwing together a bunch of security products (remember that security is a process right?) according to some "best" practices and hoping for the best? I don't believe that you can defend efficiently something that you don't fully understand. Without complete understanding of the e-commerce application the developers throw in your hands for protection, you won't be able to practice "Alternative Thinking" and come up with sound attack scenarios and misuse cases. And you won't make the right trade-offs for balancing security and business objectives.
Give this some "Alternative Thinking" time.