Offensive Defense
I presented before the holiday break at Seattle B-Sides on a topic I called “Offensive Defense.” This blog will summarize the talk. I feel it’s relevant to share due to the recent discussions on desktop antivirus software (AV) What is Offensive Defense? The basic premise of the talk is that a good defense is a “smart” layered defense. My “Offensive Defense” presentation title might be interpreted as fighting back against your adversaries much like the Sexy Defense talk my co-worker Ian Amit has been presenting. My view of…
The Demise of Desktop Antivirus
Are you old enough to remember the demise of the ubiquitous CompuServe and AOL CD’s that used to be attached to every computer magazine you ever brought between the mid-80’s and mid-90’s? If you missed that annoying period of Internet history, maybe you’ll be able to watch the death of desktop antivirus instead. 65,000 AOL CD’s as art Just as dial-up subscription portals and proprietary “web browsers” represent a yester-year view of the Internet, desktop antivirus is similarly being confined…
Exploits, Curdled Milk and Nukes (Oh my!)
Throughout the second half of 2012 many security folks have been asking “how much is a zero-day vulnerability worth?” and it’s often been hard to believe the numbers that have been (and continue to be) thrown around. For the sake of clarity though, I do believe that it’s the wrong question… the correct question should be “how much do people pay for working exploits against zero-day vulnerabilities?” The answer in the majority of cases tends to be “it depends on who’s buying and what the vulnerability is” regardless of the…
Striking Back GDB and IDA debuggers through malformed ELF executables
Day by day the endless fight between the bad guys and good guys mostly depends on how fast a countermeasure or anti-reversing protection can be broken. These anti-reversing mechanisms can be used by attackers in a number of ways: to create malware, to be used in precompiled zero-day exploits in the black market, to hinder forensic analysis, and so on. But they can also be used by software companies or developers that want to protect the internal logic of their software products (copyright). The other day I was thinking: why…
IOActive Acquires Flylogic
IOActive Announces Acquisition of Flylogic Engineering and Hardware Security Lab World-renowned Semiconductor Security Expert, Christopher, Tarnovsky, to Head IOActive’s Expanded Hardware Division Seattle, WA—July 26, 2012. IOActive, a a global leader in information security services and research, today announced the acquisition of Flylogic Engineering and its assets, in addition to the appointment of Christopher Tarnovsky as IOActive’s Vice President of Semiconductor Security Services. In conjunction with this announcement, IOActive will be opening an expanded hardware and semiconductor security lab in San Diego, California. Flylogic and Mr. Tarnovsky have long been…
The Future of Automated Malware Generation
This year I gave a series of presentations on “The Future of Automated Malware Generation”. This past week the presentation finished its final debut in Tokyo on the 10th anniversary of PacSec. Hopefully you were able to attend one of the following conferences where it was presented: IOAsis (Las Vegas, USA) SOURCE (Seattle, USA) EkoParty (Buenos Aires, Argentina) PacSec (Tokyo, Japan) The Future of Automated Malware Generation from
SIEMENS Sipass Integrated 2.6 Ethernet Bus Arbitrary Pointer Dereference
This vulnerability exists within AscoServer.exe during the handling of RPC messages over the Ethernet Bus. Insufficient sanity checking allows remote and unauthenticated attackers to corrupt a Heap-Allocated Structure and then dereference an arbitrary pointer. When manipulating an IOCP message, it is possible to alter the behavior of message parsing. This allows another IOCP message to subvert the listener of IOCP messages, which leads to export of a write-n primitive. This flaw allows remote attackers to execute arbitrary code on the target system, under the context of the SYSTEM account, where…
Hacking an Android Banking Application
This analysis of a mobile banking application from X bank illustrates how easily anyone with sufficient knowledge can get install and analyze the application, bypassing common protections. 1. Installing and unpacking the application Only users located in Wonderland can install the X Android application with Google Play, which uses both the phone’s SIM card and IP address to determine the location of the device. To bypass this limitation, remove the SIM card and reset the phone to factory defaults. Complete the initial Android setup with a Wonderland…
iOS Security: Objective-C and nil Pointers
iOS devices are everywhere now. It seems that pretty much every other person has one…an iPhone, iPad or iPod touch – and they’re rivaled in popularity only by Android devices. If you do secure code review, chances are that with the explosion in the number of iOS apps, you may well have done a source code review of an iOS app, or at least played around with some Objective-C code. Objective-C can be a little strange at first for those of us who are used to plain C and C++…
3S Software’s CoDeSys: Insecure by Design
My last project before joining IOActive was “breaking” 3S Software’s CoDeSys PLC runtime for Digital Bond. Before the assignment, I had a fellow security nut give me some tips on this project to get me off the ground, but unfortunately this person cannot be named. You know who you are, so thank you, mystery person. The PLC runtime is pretty cool, from a hacker perspective. CoDeSys is an unusual ladder logic runtime for a number of reasons. Different vendors have different strategies for executing ladder logic. Some run ladder logic…