I got my first computer when I was around 10 years old. It was a ZX80 clone with a whopping 64K of RAM. I had a game of pong on that came on a cassette tape and took 30 minutes to load. Sounds annoying now, but at the time, it was the most awesome thing ever. It was magic. As my programming skills improved and as I saw Moore’s law rip open previous computing limits, that sense of magic became internal and intimate. It changed from “wow, look at what that neat box can do”, to “wow, I’m wielding this magic at my fingertips”. It’s not an accident that computer programmers and system admins are called wizards. When they place their fingers on a keyboard feels like wielding a magic wand. The possibilities feel endless. They are endless.
A personal computer is an intimate extension of our brains. It makes us think faster with powerful CPUs, have photographic memory with gigantic storage, analyze sort and distill information with smart algorithms, have telepathic powers through internet communication and it creates a playground for our imagination through virtual worlds and simulations. Personal computers are the vessel for electronic thoughts. Just as thoughts are personal and private, so is private computing. It’s a personal and private experience.
Cloud computing takes the closely held magic away from us and places it in the hands of a powerful corporation. If you are a magic user rather than magic wizard, this doesn’t seem like a big difference. After all you still reap the benefits, you still touch your precious keyboard and with a press of a button magic happens. The key difference is that with personal computers you own that magic – it’s personal. With cloud computing that magic happens at someone else’s bidding. The user is merely presented with the end result. It’s magic for rent. It’s a satisfying illusion. When you use cloud computing, you’ve put away your wizard’s wand and substituted it for a fancy TV remote control. Often cloud computing magic appears more powerful than what you could ever hope to accomplish on your own. For that reason it’s tempting to put away your dusty old wand and to follow the rest of the herd away from that dried up patch of pasture you call “yours”, to a never-ending green field shared by all. Unlike personal computing, cloud computing is also easy, it doesn’t force you to learn and it doesn’t demand you to work. Most importantly doesn’t demand answers to any questions. The only thing is to open your mouth, chew and swallow that juicy green grass.
Does this mean cloud computing is always a bad idea? Certainly not. Personal computing is not about living in a cave as a hermit. It’s about defining limits. Personal computing is a question. What is yours and private? What is shared? What is off limits? What should always stay personal? What is the value of your privacy? What can you afford to let float into the cloud? What will you share? What will you keep secret? And when you are ready to head off to the never-ending green field shared by all, ask yourself: Who owns that field? Will it always be green and never-ending? Who makes the rules while I’m there? And most importantly, can I get best of both worlds? Can I visit the never ending green field for a few hours and return back to my own place at a moment’s notice? Or am I entering a one way corral? Can I keep my wand? Or do I have to trade-it-in for a remote control at the gate?
Draw a boundary; define your kingdom – no matter how big or small. Ask yourself, can I claim that territory my own the same way as I claim my mind my own?
Am I free? Will I remain free?
I noticed that all 60 out of 60 popular Windows anti-virus and anti-malware solutions do not catch the simplest keylogger.
For the test I created a windows application using the popular UserActivityHook.cs library. It took me about 30 minutes of mostly copy and pasting. I didn’t have to obfuscate the nature of my program nor did I have to pack it’s binary contents. The program runs as plain user – it doesn’t need privilege escalation either. In other words, it is very dangerous. I scanned the executable through virustotal as well as few popular anti-virus and anti-malware programs on various workstations locally and they all passed the keylogger as 100% ok.
This doesn’t illustrate my hacking abilities (I used none). What this does illustrate is the poor state of anti-malware and anti-virus tools at the moment. No matter what the marketing materials tell you, the only protection these tools offer you is against specific white-listed instances of malware. For any other attack you’re on your own.
I couldn’t believe my eyes, either, so I decided to dig deeper.
Why was this so easy?
To understand that let’s dig into the various detection methods antivirus programs have at their disposal (thanks Wikipedia) and why each method fails
- Signature-based detection: is the most common method. To identify viruses and other malware, the antivirus engine compares the contents of a file to its database of known malware signatures. Since this malware is new, there is nothing to compare to. This is also another reason why I’m not posting the keylogger for everyone to download. Days after I release it, it will get picked up by one of the many anti-malware teams and a signature will be made out of it in a hurry. I don’t want to be tagged as distributing malware down the road. This approach is mediocre, but it’s not good enough – definitely not as good as the various vendors would have you believe. It’s trivial to bypass the anti-malware scan if you spend 30 minutes making your own. Even if you copy and paste bunch of stuff together. On the other hand if you’re using someone else’s tool it will get picked up as malware sooner or later.
- Heuristic based detection: is generally used together with signature-based detection. It detects malware based on characteristics typically used in known malware code. I was kind of rooting for the anti-malware programs to catch it based on heuristics, if they can’t catch my test, how are they catching the keyloggers that others are trying to use against me? Sadly none did. This is most likely due to the fact that the Windows security architecture allows keylogging as a very routine function that is used by many legitimate applications. In particular the keylogger depends on GetKeyboardState API call that’s used for many other benign reasons by other applications. I still think if the anti-virus companies tried harder, they could catch this based on heuristics. Currently they obviously don’t.
- Behavioural-based detection: is similar to heuristic-based detection and used also in Intrusion Detection System. The main difference is that, instead of characteristics hardcoded in the malware code itself, it is based on the behavioural fingerprint of the malware at run-time. Clearly, this technique is able to detect (known or unknown) malware only after they have starting doing their malicious actions. Once again anti-malware products didn’t live up to this promise. They could have noticed the writes to disk milliseconds after each key press – they didn’t. Then again, it is tricky. There are lot of legitimate programs out there that do write to disk after key strokes and they aren’t key loggers.
- Data mining techniques: are one of the latest approach applied in malware detection. Data mining and machine learning algorithms are used to try to classify the behaviour of a file (as either malicious or benign) given a series of file features, that are extracted from the file itself. Data mining should have been a no-brainer for an anti-malware tool. I was doing all sorts of suspicious stuff in my code and not hiding it one bit. I guess we have to wait until this matures a bit, but given how miserably the other methods failed, I’m not holding my breath for that.
So…. this sucks. How do you protect myself then? Right now, you probably can’t. Anti-malware companies have to step up and detect these kind of things. Be skeptical, just because you see 57 green check marks on virus total, doesn’t mean it’s safe. And no, don’t stop using your anti-virus, virustotal or whatever else you have. Even if anti-virus is 90% effective. That’s better than 0% without it.
On a host with many virtual sites and no centralized logging, getting an idea of which site is being hammered too hard can be tedious / impossible.
Instead of looking at the logs, why not look at the traffic at real time:
tcpdump -s 1500 -v -A -c100 dst port 80 | grep Host
This will show the hosts being requested through HTTP.
Every time I hack or crack something, I face a tough ethical dilemma. I wonder, am I hurting people’s security and privacy by doing this? When I improve the code that is designed to simplify the cloning of RFID access cards, am I helping the society? Am I helping criminals break into buildings? When I write a tutorial that explains “how to hack in”, am I helping the society? Or am I helping the criminals send phishing spam?
To untangle this, let’s start with definitions. White hat hacker is defined as someone who improves security, while a black hat hacker is defined as someone who harms security. This isn’t very helpful. Whose security are we talking about? Is a hacker working for a government security organization considered white hat or black hat? After all, they are improving *their* organization’s security. Are our guys the white guys, while “the other” guys are black hat? And how do we define harm or benefit? Is a hacker who releases info about 0-day exploit causing harm, or benefit? It seems these definitions shift the ethics off to another level avoiding the deeper philosophical implications.
Here is a more useful definition:
- White hat hacker: Hacker who shares their tools and knowledge in a public and open manner for the purpose of enabling everyone to gain privacy and control.
- Black hat hacker: Hacker who secretively guards their tools and knowledge for the purpose of relinquishing privacy and control from others.
This definition allows us to ask us another interesting question. What would happen if majority of hackers were white hat? What would happen if majority of hackers were black hat?
Black Hat Majority:
Information security is in a very bleak state. Black hats have all kinds of back doors, and everyday users can only throw up their arms and say “privacy is dead”, “liberty is dead”, “I do not have control over my devices – others do”. This is a state we are in now.
White Hat Majority:
Information security is in a good state. Published exploit is a defensible exploit. Black hats still have the fringes to operate in. However, overall, every day users are fairly certain that they have the control over their systems and that they are not just puppets within a system controlled by others.
This makes it easy for me to say: I’m proud to be a white hat hacker. I’m also proud to be on the right side of the race between the two sides.
I hope this makes others who have been on the sidelines, wondering what’s the right thing to do, jump right in.
I’ve been playing with my new proxmark3. It works great for HID cards, but ioProx code is still in its infancy. I made some improvements to it based on analysis by marshmellow:
- Better accuracy: You no longer have to worry about centering your fob on the antenna or scan it repeatedly to get a “good” reading. Now you can just hold it in your fingers to scan. Before this update I was averaging 10 – 70% accuracy depending on how I held the fob. This version is pretty much 100% – I haven’t had a bad scan yet.
- Correct decoding of human readable XSF number: Previous version had a bug that displayed the wrong unique code and the wrong facility IDs.
Download the binary firmware (including source code patch if you want to build it yourself) .
There is still more work to be done. For example, there appears to be CRC or checksum near the end – it’s still a mystery.
Couple of my clients’ sites were being probed by botnets. It was the usual:
- Common vulnerabilities probes
- Password guessing attacks
It didn’t warrant putting them behind a firewall, but I also didn’t like the idea of having it open to relentless automated 24×7 scanning. The sites were extranet type of sites, not really public, but not private either. I scratched my head a bit trying to figure out how I could improve security without inconveniencing users. What I came up with is this method:
- Any access to the website is blocked by a “captive portal” like page
- When the user provides the portal what’s being asked for (in this case correct answer to CAPTCHA) the firewall opens an exception to their IP and the user is redirected onward to the site they were looking for.
Is this secure against a determined hacker? Definitely not. Solving the CAPTCHA takes only 3 seconds and they’re in through the first layer of defense. That’s why it’s critical that this is treated as an extra (thin) layer of defense and not as the only layer.
Is this secure against 99% off all attacks out there? (worm / botnet attacks on autopilot): Definitely
How is it implemented?
- PHP page shows the portal page
- If CAPTCHA is correct, IP is collected from $_SERVER[“REMOTE_ADDR”], sanitized and saved in a file that keeps track of allowed IPs
- PHP page then triggers a shell script that updates iptables with the following entry:
iptables -t nat -A PREROUTING -p tcp --dport 80 -s $AllowedIP -d $YourIP -j DNAT --to-destination $TargetIP:80
How can this be improved?
Nothing says that access is given with a simple CAPTCHA, there could be full authentication that takes pace before firewall is opened. Furthermore it could close shortly after access is given disallowing any fresh TCP connections. Think of it as authenticated port knocking.
You’ve probably seen a page like this if you’ve stumbled across CloudFlare protected site when using Tor. I don’t know what internal mechanism they use, but I imagine it’s very similar.
When reversing applications it’s useful to see what’s happening under the hood. Up until now I’ve either had to bring out OllyDbg and dive into assembly or rely on a high level tool like Systernals Process Monitor. I’m fond of strace on Linux, but when I searched for “strace for Windows” resulted in tools that were not very reliable. That was couple of years ago.
Today I stumbled on these two API monitors that do exactly what I need on Windows:
Inspired by a very interesting TED talk by Chris Domas, I decided to make my own tool that did the same thing.
Download the binary (.NET compatible)
Download the source code
As you can tell from the source code, the mechanism is very easy:
- Split file into bytes
- Loop through the bytes (currentByte and previousByte)
- X axis is 0 – 255 (currentByte)
- Y axis is 0 – 255 (previousbyte)
- Plot intersections of X and Y
The technical name for this is digraph. Doing this in 3D or 4D would require a very similar process.
Below are screenshots of some of the files that I visualized.
Note how everything is in the upper left corner. That’s because bulk of plain text is ASCII bytes 32 (space) to 126 (~)
Some similarities to a text file in terms of well defined patterns except that binary file won’t be restricted to below byte 127.
Notice the shades of gray.
This was about 32 MB file. If I had a bigger file that was even more random I would expect the entire screen to fill white. Any pattern visible here is a tale tale to a lack of randomness (or a small sample)