Enter the Dragon(Book), Part 1
This is a fairly large topic; I’ve summarized and written in a somewhat narrative/blog friendly way here. A few years ago I was reading a blog about STL memory allocators (http://blogs.msdn.com/b/vcblog/archive/2008/08/28/the-mallocator.aspx), memory allocators being a source of extreme security risk, I took the author’s statement, “I’ve carefully implemented all of the integer overflow checks and so forth that would be required in real production code.” as a bit of a challenge. After playing with permutations of the code I was able to get…
IOActive’s IOAsis at RSA 2012
This is not a technical post as usual. This is an invitation for an important event if you are going to RSA 2012 and want to escape the chaos and experience the luxury at IOAsis while enjoying great technical talks and meeting with industry experts. If you want to feel like a VIP and have great time then don’t miss this opportunity! We have scheduled some really interesting talks such as: Firmware analysis of Industrial Devices with IOActive researcher Ruben Santamarta Mobile Security in the Enterprise with IOActive VP, David Baker…
Estimating Password and Token Entropy (Randomness) in Web Applications
Entropy “In information theory, entropy is a measure of the uncertainty associated with a random variable. In this context, the term usually refers to the Shannon entropy, which quantifies the expected value of the information contained in a message, usually in units such as bits. In this context, a ‘message’ means a specific realization of the random variable.” [1] 1. http://en.wikipedia.org/wiki/Entropy_%28information_theory%29 I find myself analyzing password and token entropy quite frequently and I’ve come to rely upon Wolfram Alpha and Burp Suite Pro to get my estimates for these values. It’s…
I can still see your actions on Google Maps over SSL
A while ago, yours truly gave two talks on SSL traffic analysis: one at 44Con and one at RuxCon. A demonstration of the tool was also given at last year’s BlackHat Arsenal by two of my co-workers. The presented research and tool may not have been as groundbreaking as some of the other talks at those conferences, but attendees seemed to like it, so I figured it might make some good blog content. Traffic analysis is definitely not a new field, neither in general nor…
Solving a Little Mystery
Firmware analysis is a fascinating area within the vast world of reverse engineering, although not very extended. Sometimes you end up in an impasse until noticing a minor (or major) detail you initially overlooked. That’s why sharing methods and findings is a great way to advance into this field. While looking for certain information during a session of reversing, I came across this great post. There is little to add except for solving the ‘mystery’ behind that simple filesystem and mentioning a couple of technical details. This…
A free Windows Vulnerability for the NSA
Some months ago at Black Hat USA 2011 I presented this interesting issue in the workshop “Easy and Quick Vulnerability Hunting in Windows,” and now I’m sharing it with all people a more detailed explanation in this blog post. In Windows 7 or Windows 2008, in the folder C:WindowsInstaller there are many installer files (from already installed applications) with what appear to be random names. When run, some of these installer files (like Microsoft Office Publisher MUI (English) 2007) will automatically elevate privileges and try to install when…
Common Coding Mistakes – Wide Character Arrays
This post contains a few of my thoughts on common coding mistakes we see during code reviews when developers deal with wide character arrays. Manipulating wide character strings is reasonably easy to get right, but there are plenty of “gotchas” still popping up. Coders should make sure they take care because a few things can slip your mind when dealing with these strings and result in mistakes. A little bit of background: The term wide character generally refers to character data types with a width larger than a…
Automating Social Engineering: Part Three
PHASE 2: Ruses Once we have enough information about the employees and company in question, we can begin to make some sense of the information and start crafting our ruses. It is worth noting that this stage currently does not have a lot of since it does require a lot of human intuition and information processing. Certainly as we continue developing the tool we will be able to automate more and create some decision making systems capable of creating useful ruses, but for now a key factor of…
Automating Social Engineering: Part Two
As with any other type of penetration test, we need to gather information. The only difference here is that instead of looking for operating system types, software versions, and vulnerabilities, we’re searching for information about the company, their employees, their social networking presence, et cetera. Given that we’re performing an assessment from a corporate perspective, there are some limitations with regard to privacy and employees’ private life, but the truth is that real attackers won’t abide by such limitations. So, you should assume that any…
Automating Social Engineering: Part One
since the original conceptualization of computer security, and perhaps even before, social engineering has been in existence. One could say that social engineering began when societies began, whether it was realized or not. It is now time to give some of this work to scripts and applications to make it a little more interesting… As the years passed in the computer security community, network penetration became more and more necessary, but computers were not the only thing getting compromised. Social engineering was part of the hacker subculture, but it was…