Inside Flame: You Say Shell32, I Say MSSECMGR
When I was reading the CrySyS report on Flame (sKyWIper)[1], one paragraph, in particular, caught my attention: In case of sKyWIper, the code injection mechanism is stealthier such that the presence of the code injection cannot be determined by conventional methods such as listing the modules of the corresponding system processes (winlogon, services, explorer). The only trace we found at the first sight is that certain memory regions are mapped with the suspicious READ, WRITE and EXECUTE protection flags, and they can only be grasped via…
Thoughts on FIRST Conference 2012
I recently had the opportunity to attend the FIRST Conference in Malta and meet Computer Emergency Response Teams from around the world. Some of these teams and I have been working together to reduce the internet exposure of Industrial Control Systems, and I met new teams who are interested in the data I share. For those of you who do not work with CERTs, FIRST is the glue that holds together the international collaborative efforts of these teams—they serve as both an organization that makes trusted introductions, and vets new…
Old Tricks, New Targets
Just a few days ago, Digitalbond announced that they had been victims of a spear phishing attack. An employee received an email linking to a malicious zip file, posing as a legitimate .pdf paper related to industrial control systems security. Therefore, the bait used by the attackers was supposedly attracting targets somehow involved with the ICS community.
Summercon 2012
Hi Everyone, Chris Valasek guest blogging here at IOActive. I just wanted to tell everyone a little bit about my involvement with Summercon and what to expect at the conference. Although I’m one of the current organizers (along with Mark Trumpbour @mtrumpbour), I’m obviously not the originator, as it started many years back (1987, I believe) as detailed in the most recent Phrack magazine (http://www.phrack.com/issues.html?issue=68&id=18#article). I started attending in 2000 when it was in Atlanta, GA and had a fantastic time. Over the years, the conference has…
QR Fuzzing Fun
QR codes [1] have become quite popular due to their fast readability and large storage capacity to send information. It is very easy to find QR codes anywhere these days with encoded information such as a URL, phone number, vCard information, etc. There exist tons of apps on smartphones that are able to read / scan QR codes. The table below shows some of the most common apps and libraries for the major mobile platforms – keep in mind that there are many more apps than listed here….
ST19XL18P – K5F0A Teardown
4 Metal, 350 nanometer fabrication process, EAL4+ smart card. A device fabricated in 2002 and yet, today the latest ST19W/N series only main differences are the ROM data bus output width into the decrypt block and the fabrication process (180nm and 150nm shrink). The device was dipped into a HydroFluoric (HF) bath until the active shielding fell off. The result of this saved about 10 minutes of polishing to remove the surface oxide and Metal 4 (M4). This also helps begin the polishing process on the lower layers fairly evenly….
#HITB2012AMS: Security Bigwigs and Hacker Crème de la Crème Converge in Amsterdam Next Week
Hi guys! We’re less than a week away from #HITB2012AMSand we’re super excited to welcome you there! HITBSecConf2012 – Amsterdam, our third annual outing in Europe will be at the prestigious Hotel Okura Amsterdam and this year marks our first ever week-long event with what we think is a simply awesome line-up of trainings, speakers, contests and hands-on showcase activities. There should be pretty much something to…
Enter the Dragon(Book), Pt 2
Nobody has been able to find this backdoor to date (one reason I’m talking about it). While the C specification defines many requirements, it also permits a considerable amount of implementation-defined behavior (even though it later struck me as odd that many compilers could be coerced into generating this backdoor in an identical way). From the C specification; Environmental Considerations, Section 5.2—in particular section 5.2.4.1 (Translation limits)—seems to offer the most relevant discussion on the topic. Here’s a concise/complete example: typedef struct _copper { char field1[0x7fffffff];…
Thoughts on AppSecDC 2012
The first week of April brought another edition of AppSecDC to Washington, D.C., but this year people from two different worlds came to the same conference: Web security and Industrial Control Systems security. Of course, at the device level this convergence happened a long time ago if we take into account that almost every modern PLC includes at least a web server, among other things. I was presenting Real-world Backdoors in Industrial Devices on the Critical Infrastructure track, which included really exciting topics from well-known researchers including:…
TLS Renegotiation and Load Balancers
I seem to be fielding more and more questions of late around the rather well-known SSLv3 and TLS renegotiation flaw. For those who aren’t familiar, the TLS renegotiation flaw allows the injection of data into a SSLv3 or TLS stream, potentially causing data injection or the program to misbehave in some other fashion. It is not a full man-in-the-middle attack because the attacker can’t read what’s in the data stream, only inject into it. Ultimately, this is a protocol flaw—one that’s been fixed as an extension to TLS as…