Obscurity



SSHH!! Don't Tell anyone 
You just have to wait for low tide

Use secrecy of design or implementation to provide security, do people really still do this? Of course why wouldn't they.

Recently looked at an application that allows users to edit and create documents in different formats.  This application runs on a mobile platform (tablet computer).  The key feature that users liked was the password protection of created documents.  This assured users that documents were secure from prying eyes.  I wondered how secure!

Application was installed on a clean recently formatted device.  Next I created some documents inside the application and turned on the password protection features.  Using command line options on the device I generated a listing of all the files that were created or modified by the application during run-time.  The first thing that catches my eye is a SQLite database was created.  The SQLite Manager plug-in available for FireFox allows you a quick way to load databases and look at their contents.  Opening up this database we find one table with an entry called password.  Looking at this entry the password listed is not the one I set, but it looks like a hashed version.  Counting the characters the length of the value is 128 bits, my first guess is the program is using an md5 hash.

I tried using an online hash calculator to determine what hash format was being used, but no luck.  Determined that it doesn't match any of the common hash formats, Interesting.  I then thought maybe some type of salt is being used to provide extra protection.  If this is true,  I should be able create multiple passwords that are the same and the salt value would cause the resulting hashes to be different.  After creating multiple same passwords, the resulting hashes listed in the database had the same hash value.  Another dead end. 

The next clue came from a strings analysis of the application executable.  There were references to a "hash generator" header file.  This leads me to believe the author decided to write his own hash algorithm.  The OS for the platform provides API's for generating hashes and also provide data protection capabilities for encrypting and password protecting files, why would the programmer go to lengths to develop his own?  I am still trying to find the answer to that question, my only response is security through obscurity or maybe he is flexing his programming muscles.

In the end does his program protect the files?  Of course not, even though I never determined the hash algorithm used, the simple solution was to just open up the SQLite database file and delete all the password entries.  The application checks the database before a user opens a file to determine if it is password protected.  If there are no password entries in the database, then the application requires no passwords to open any of the files.  It should be noted if the programmer used the hash/password/encryption API's built-in to the OS then there would be full protection of the document files.

Its all about the bandwidth!

Management:  It’s cheaper to consolidate all our servers, applications, and data to a single remote facility, that way we can cut back on the number of IT staff and number of servers.

But what location will we use?

We found a location, because of the Martian-Earth Free trade (MEFT) agreement , Martian IT workers will work for 1/5 th the cost of Earth IT workers what a great deal!   

User:  Wow, It takes me 15 minutes to input one TPS report in the database, why would anyone put the servers on mars? Oh well it just gives me more time to play minecraft!

Management:  Why are bandwidth costs so high, from now on cut bandwidth by half.

User:  Wow, It takes me 30 minutes to input one TPS report in the database, why would anyone put the servers on mars? Oh well I am glad the minecraft server is local!



That is one big mine!



Sound familliar, like everyone else in the data consolidation business, once the data is remotely stored a host of problems crop up with remote offices on bandwidth constrained links.  Users are unable to complete their work because there is not enough bandwidth for everyone to transfer data back and forth.   In order to solve this multiple solutions were looked at with a preference for a no-cost solution.  Studying traffic flows on constrained links brought a trend forward - First person always wins!  On the constrained link whoever asks for a large file first, will dominate the link and get their data quick, while the second user will request data and timeout constantly.   My first thoughts shouldn’t everyone get a fair shot to the bandwidth, but every time there was always one user dominating the link.

A little research in advanced router configuration and you come across queuing strategies.  By default routers are set to transmit data in order it was received without regard to bandwidth consumptions or delays, otherwise known as the FIFO (First IN First Out) queuing strategy.  When there is a high-volume user, they will generate bursts of packets called packet trains.  These packet trains travel through the network together and consume all available bandwidth starving out any other user’s traffic.  So can this issue be fixed.  Yes!, buy more bandwidth; sorry need a no cost solution.  What other queuing strategies are there, well it depends on your router.  Remember this is different than regular quality of service (QoS).  As a reminder QoS is where certain data is tagged so it can be transmitted first because it has precedence over other data.  In our instance all the users are accessing the same resources and have the same precedence level, we just want to ensure each user gets their fair share of bandwidth.

The method looked at was Weighted Fair Queuing, which is available on CISCO routers.  Under this strategy packet trains are broken up to allow every users' data to fairly share the bandwidth.  To accomplish this the router looks at packet header information and creates a hash based on factors such as:

• source/destination network address
• source/destination mac address
• source/destination port numbers

This info is used to identify packet trains and high-volume conservations versus low-volume conservations.  The router then places the packets in the transmission queue based upon low-volume conservations getting priority over the high-volume priority.  After the low-volume conservations have been serviced, high-volume conversations share remaining link capacity fairly by use of interleaving or alternate transmission time slots.

Does it work, yes it does allow multiple clients to share a single low bandwidth link.  However don’t expect miracles best solution is still buy more bandwidth, leave the data on the local LAN, or get a wan optimizer – but these cost money.

Blame it on DNS

Are you tired of malware and spyware, well there is a simple solution. Simply block DNS (go ahead block udp port 53 on your firewall) and all your troubles will be gone.  What! you did and now don't have access to anything, well that is the price you pay :) 

I recently read an interesting paper

"Security Monitoring of DNS Traffic" by

Bojan Zdrnja and it made me wonder if I could setup the same type of system for monitoring my network.  The crux of the paper is that a system was setup to track all DNS requests and then used these DNS requests to determine security issues on the network.

So off I went down another rabbit hole for fame and glory.  Luckily I already had a SNORT box installed within in Ubuntu that is able to see all traffic entering and exiting the network.  But I wanted to only capture data  from DNS Query packets to include IP source address, Website address, and Query record type.  To implement this I used the built-in tcpdump command with the following variables:    

tcpdump –s 0 –i eth0 –G 300 –w q%d%H%m  ‘udp port 53 and (udp[10] & 0x80 != 0)’

·         -s 0: defines that the complete packet should be captured

·         -i eth0: defines to capture packets on interface eth0

·         -G 300: defines to rotate files every 300 seconds

·         -w q%d%H%m: defines the filename to write output to,

          The %characters are specially defined variables in strftime (%d – day, %H hour, %m – minute)

·         ‘udp port 53 and (udp[10] & 0x80 == 0)’: defines a pcap-filter expression. 

This filter is the brains of the tcpdump capture it selects packets that have the QR field in the DNS packet set to 0.  This means it is a DNS query as opposed to a response.  The captures files created by tcpdump are analyzed by a Perl script.  The Perl script then populates a SQLite database with the IP source address, Website address, and Query record type.  The Perl script is executed as a cron job and processes all complete capture files within a certain directory, nothing fancy.


Results:
Total of 783,625 DNS queries were captured composed of 35,213 unique queries. Following tables give a breakout of the data:

Number of queries	Top Website Queries	Record Type
30187	symantec.georedirector.akadns.net	1
25351	www.symantec.d4p.net	1
25331	www.symantec.com	1
19410	crl.microsoft.com	1
18381	crl.www.ms.akadns.NET	1

Processing the large amount of DNS queries was time consuming and not completed even close to real-time (Blame it on the programmer it was a quick coding job not efficient).  In addition extra functionality was included to compare each DNS query to a list of known malware sites.  The malware list can be obtained through a number of websites, however the contents of the list vary by site.  There  are commercial services that will pull all the lists together into a single list that can be used for malware detection.  The list used during testing was downloaded from malwaredomainlist.com.  I was amazed and a little disappointed that none of my captured queries were matched to the malware list.

Conclusion:

Determined that tracking DNS queries is a viable method for detecting malware infestation on the network.  The issue was processing time and where to obtain an authoritative malware domain list.  If the network contains a DNS server a Blackhole list can be generated from known malware lists that would automatically block known malware sites, this method fixes the processing time issues.  This little project also brought to light that the DNS server was not caching DNS queries correctly this is evident in the large amount of total inquiries compared to unique queries.  I was also amazed at the number of IPv6 queries, when they say it is auto enabled it really is auto enabled.

Listing of the Perl Code used for processing the pcap files

Network Data Gathering on Apple iOS

Apple iOS is the operating system used by Apple mobile devices. This OS is based on Apple Mac OS X.  In our recent search of how to wrangle these devices (particularly iPad/iPhone) for performing security checks, we noticed some interesting aspects of the devices.

A port scan (NMAP) shows that udp/tcp port 62708 is open, however it is not known what this port is used for (update - determined this is for iTunes synching). Since the port responds to a tcp syn packet, we broke out our favorite packet fuzzing tool, isic (IP Stack Integrity Checker). This is a open source tool, that has been responsible more than once for taking down our test network. Trying both udp and tcp fuzzing we were unable to adversely impact our test iPad. Because this was a side project we were only able to commit limited time, and not the resources needed for performing a true fuzzing attack (hopefully we get to revisit this project). As a side note a scan of an Android device shows no ports open.

How does this open port help an attacker? Data gathering, if I were to scan a network for open tcp 62708, I can now pick out the iPad/iPhone devices on the network. This can be extended out to the possibility of using a mobile device to scan your cell phone provider (determined that providers are using non-routable addresses) to look for iOS devices. Haven't done much research in network tools for mobile devices, but my first inclination is that it is easier to install a port scanner on an Android device vs iOS device.

Our next interesting factoid deals with the user-agent string that the device uses to connect to the web.  In the HTTP protocol there is a variable defined as a user-agent string. This tells the web server what type of browser you are connecting with and can allow the web server to restructure the page for your browser. Using the Safari web browser on the iPad/iPhone, we find the user-agent is set to; iPhone/iPad, version of iOS (ex. iPhone/iPad 4.2.1). Right off the bat, performing a network capture I can tell what iOS version the user is using and focus attacks to that version.  Of course we need to be on a shared network to perform these captures (WIFI network). The interesting thing found is that when an app connects to the web the user-agent string is modified to include the app name. For example if you were using the ipadsteel app, we would see the user-agent string as: "ipadsteel, iPad/iPhone, 4.2.1"  Now with network captures I know the app your running and the iOS version.

In a normal attack this info is what an attacker usually spends time gathering in order to determine how to infiltrate.  However with the iPhone/iPad I already know an open port on the device, what iOS version is being used and the apps being used. Eventually exploits will be released, but with the release schedule of iOS, exploits maybe short lived.

Stealth On the LAN

So you got a brand new iMac and noticed it has stealth mode. And you think "Awesome I bet that is the same as the Romulan advanced cloaking technology, only a company like Apple would be so far ahead of the curve".

According to Apple "When you enable stealth mode, all uninvited data traffic receives no response from your computer. Stealth mode virtually hides your computer behind your firewall, and other computers sending traffic to your computer receive no information about your computer."

Sounds neat, let's see if we can circumvent this stealth mode and determine IP addresses of stealth enabled OS X hosts. We determined engaging stealth mode only implements one firewall rule: block incoming ICMP type 8 - Ping echo request (what a letdown Mr. Jobs, stealth only implements one rule!). Since this rule does not affect any other types of ICMP packets, let's be crafty and use ICMP against them.

RFC 792 (or ICMP Wikipedia page) shows that computers should respond to IP packets with bad IP headers with an ICMP Type 12 packet, perfect. So our game plan is to send a packet with bad IP header options to each IP address in the subnet. The OS X host with stealth enabled should respond with ICMP Type 12 (Bad IP Header). Since the packet filter does not block incoming packets with bad IP headers or outgoing ICMPs, we can use wireshark to see this transaction and determine the stealth IP addresses. Complicated? Actually easier than we thought, using a program called nemesis (Can be found on a your local BackTrack CD) and automating with a bash script;

#!/bin/sh
host="172.16.40.131" #IP address of the computer performing the scan
scan="172.16.40." # Simple subnet with netmask: 255.255.255.0

for ((cnt=1; cnt<255; cnt+=1)); do #loop to scan through IP addresses
addr ="$scan$cnt"
echo $addr
nemesis ip -P appledata.bin -0 appleipopt.bin -S $host -D $addr

appledata.bin and appleipopt.bin are two binary files that contain the bad IP options and bad packet data. Yes I typed these in hex one byte at a time into a text file because I could not find a leet way of doing this, props to the hex2bin.pl, perl program that converted my ASCII hex data to binary data. Setting up wireshark with a display filter "icmp" will show IP addresses responding to the generated packets. Running the script we see an ICMP type 12 from the "stealth" OS X host, yeah! An Even better Surprise is all the listening hosts on the subnet responded (Vista, Windows 7, Cisco, etc..). Our Script showed IP addresses of all the listening hosts on the subnet, what a neat way find listening network hosts.

Did we meet our goal and subvert the stealth technology? - FAIL! (almost)

Since our packets have bad IP headers options, they turn out to be non-routable, our technique only works within a switched LAN. All this work for nothing especially when you realize there is a very simple way to map a switched network, the almighty ARP.

Using the command "nemesis arp -S -D", command followed by the ip address you are scanning. As expected all hosts respond with an arp reply (wireshark display filter "arp.opcode == 0x0002") What a waste of time creating bad IP headers, but how else would we procrastinate.

Developing secure applications

So you are a small company that develops software, and your customers are becoming more paranoid about the security of your code. With companies being held responsible for their sloppy coding practices, no more "As long as it works, that's all you need". One of the first instances I saw of this was the "The Trustworthy Computing Security Development Lifecycle" developed by Microsoft.


"Security development lifecycle (SDL)
Microsoft designed SDL to ensure that the development of software is as secure as possible.

The process is made up of a series of security-focused activities and targets for each of the phases of Microsoft's software development process.

These include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing.

Before software can be released, it must undergo a final security review by a team independent from its development group."

Microsoft used this methodology in order to develop the Vista Operating System. Microsoft claims from implementing this methodology Vista has had fewer first-year vulnerabilities then Windows XP, Red Hat, Mac OSX, etc... Now Microsoft does release this methodology free for anyone to use and they are implementing this in their development tools. You can read all about on the SDL website linked to above.

Another checklist I have found useful for software developers is the Application and Development Checklist developed by the Defense Information Systems Agency. I find this an easy to use checklist to show software buyers that any software being developed is going through a strict security engineering process to ensure security is not an after thought.

Another great resource is the SAFECode, they have multiple publications on ensuring you are developing secure code.

"The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp."

If you are developing software, customers are requesting not only working code but also secure code. There is also an on-going trend in the software industry that business are including "secure code clauses" in their contracts with application developers.

Keep the code secure, use a secure engineering process!

Let Loose the Pings

Photo Courtesy Sean Hawkey
Our lab contains this very expensive hardware based traffic generator. This device is not easily configured and can be a pain to used. But once you set it up the device can generate any type of traffic and network transactions. The problem comes in that somebody changed the admin password, and nobody knew the new one. Now the device can still be used without the admin password however you cannot configure the interfaces without it. We were in a time crunch and needed to perform a simple network test, and did not have time to reset the password. The problem came in that whoever reset the admin password changed the IP address on the interface. The problem is we needed to figure out the IP address of the interface in order to configure the test. Easy, there are only 4 billion addresses to ping, by the way the device was set to respond to pings. Well it gets better we knew the address was 10.x.0.11, so we only have to try at the most 255 addresses. Well my co-worker starts pinging one at a time, and i think he is crazy, we are programmers, lets write a quick vbscript and run it with wsh. Basically this script runs through 10.0-255.0.11 addresses and parses the output from the ping. If it receives a Reply then the script prints that address and exits. The script could be modified with more loops to go through more addresses however the script is slow because it only processes one ping at a time, if you need more pings a c program would work much faster.

Basic operation - for loop going through 0-255 (each number is output the screen), a variable is used to build the ping statement, a shell is created for the ping command to be executed, the output from the ping command which is in stdout is parsed looking for the word Reply, if Reply is found then the ip address is echoed to the screen and the script exits. When running this script ensure you use cscript or you will have windows popping up for each ping. This script worked extremely well, we took a break while the script ran and came back and the magic number was 42 - imagine that.

for i = 0 to 255
y = 1
wscript.echo i
a = "ping -n 1 10." & i & ".0.11"
Set objShell = CreateObject("WScript.Shell")
Set objWshScriptExec = objShell.Exec(a)
Set objStdOut = objWshScriptExec.StdOut
While Not objStdOut.AtEndOfStream
strLine = objStdOut.ReadLine
if mid(strLine,1,5) = "Reply" then
y = y + 1
end if
Wend
if y > 1 then
wscript.echo a
exit for
end if
next