Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

21st FIRST Conference – Day 2

I’m still not over the jet-lag, but still, day 2 of FIRST rages on. The pre-conference talk started with the announcement that Interpol have been accepted as an official FIRST member. The winners of the best practices contest (this years focus was on detection of attacks) were announced, with CISCO CSIRT taking the award with a paper on Netflow (the papers should be available on the FIRST website later today). Second place was awarded to CERT-FI.


09:00 Reconceptualizing Security – Bruce Schneier

Thinking about what security and risk means and how we deal with it. Security by definition involves human beings. We need to define how people think about security. You can have security without actually feeling secure. You can feel secure when you’re not. These are 2 different things. A separation should be made between the feeling of security and the reality of security.

Security is a trade-off. Giving up something in order to gain a degree of security. However what is given up needs to worth the trade-off. Whether or not something is worth it comes down to a personal choice. People have a natural intuition when it comes to security. Although humans are on one hand good at evaluating their security, they can also sometimes be very bad. This is what drove Bruce to research the “The Psychology of Security“.

Humans are built to make quick decisions. Getting the good answer fast is better than getting the best answer slow.

Humans rationalise the familiar as more secure than unfamiliar. People are afraid to fly, yet are happy to drive, although the risk is higher. 42,000 people die every year in the US from car accidents. This figure is much higher than plane accidents. Humans overreact to rare risks more than risks we accept everyday. We
will be more likely to stop doing something if a close friend is
effected than if many many people who we don’t know are effected.

The economic incentive is to make people feel secure. However the feeling and reality don’t always match.

Discussion of the various mental models based on experience, press, government, industry and human feelings. Humans are better at focusing on risks that are in the short-term, and are very bad at realising risk that is far off.

Security decisions are often made for reasons with nothing to do with security. The person making the decision will manipulate the model based on their view of reality and their requirements. Stakeholders will try to convince others that their views are correct.

If you believe something, then evidence against that belief will often be ignored, were positive evidence will reinforce that belief.

Flashbulb moments that change peoples mental models – 9/11 Terrorist attacks and the JFK assassination are examples of US flashbulb moments. Each culture has their own.

Change happens slows. Even easy changes such as changing peoples smoking habits have taken decades. People are quick to reject new models if they don’t agree with our feelings. Our feeling on global warming (what we see in-front of us) doesn’t always agree with the new scientific model of what will happen.

Security reality and security feeling should be balanced. If people feel insecure they will not trust the technology, if they feel too secure they will be at risk.

All effort is put into feeling secure. Some part of that however spills over into the reality of being secure. Some things that are implemented to increase the feeling of security in-fact lower the reality of security.

Building a surveillence infrastructure makes us less secure.

Economics doesn’t support security and reliability. Features are the main driving force in technology.

11.00 Network Monitoring Special interest group: Monitoring & Analyzing Client-side Attacks

This special interest group was in the form of a workshop.

You can download the vmware image (Debian), PDFs and PCAP files used in the workshop – HERE.

The demos focus on client-side / drive-by downloads using examples for fast-flux and non-fast-flux style attacks. The workshop uses a downloadable Debian VM with some self developed tools (based on Rhino).

I opted to skip the afternoon section of the workshop. I’ll work on the exercises on the plane home 😉

13:30 Comprehensive Response: A Bird’s eye view of Microsoft Critical Security Update MS08-067 – Microsoft

Microsoft Security Response Center / Microsoft Malware Protection Center give an overview of Microsoft’s response to the MS08-067 vulnerability and the rise of conficker.

The MSRC has 3 main areas of responsibility .:

  • Investigate and Resolve Vulnerability Reports
  • Microsoft Security Response Process
  • Building Relationships and Communications

When releasing a security update Microsoft follow a dual track to manage and deal with the patching process

  1. Vulnerability Reporting
  2. Triaging
  3. Managing Finder Relationship
  4. Content Creation
  5. Release

In tandem with the above process (at steps 2-4), a technical fix is developed and tested.

  1. Creating the Fix
  2. Testing
  3. Update Dev Tools and Practices

A lot of effort is put into the testing phase to ensure that the patch deals with the issue, doesn’t create other issues (security or non-security related), and is compatible with other products.

Microsoft release day means staff getting in at 6am to monitor the process and make sure everything runs smoothly.

MS08-067 (October 2008)

  • Vulnerability found in Windows Server Service (netapi32.dll)
  • Wormable
  • Large install base
  • Exploit and limited attacks known; widespread malware probable

This vulnerability was discovered through the customer support services department. A specific crash was reported by a customer who was experiencing issues. Originally though to be another attack attempt against the flaw originally patched in MS08-040. During further research it was found to be a seperate vulnerability.

The vulnerable function is the ConvertPathMacros function

  • Exposed via anonymous RPC endpoint
  • Replaces path macros (\– and \)
    • Normal usage \foo\bar\..\bas -> \foo\bas
    • Normal usage \foo\bar\.\bas -> \foo\bas

This attack string forces the ConvertPathMacros to look back into the stack for the previous slash. Some pre-staging of the atack must be made to trigger the exploit.

By using fuzzing it was possible to trigger the vulnerability and search for possible varriations of the attack. Microsoft didn’t want to fix netapi32.dll again (after already fixing it in MS06-040 and MS06-070). So all cases were tested to make sure it was done right.

MAPP partners were provided with packet captures, safe PoC, technical description, information about the malware currently exploiting the vulnerability, stack traces.

Through the security bulletin customers were given workarounds – Block SMB, Stop services, Vista\WS08 RPC firewall rule to block UUID, Chacl tool to change named pipe ACL

Response Timeline .:

Oct 6th – Received notification of vulnerability
Oct 6th – Reproduced vulnerability on reported platform (XP SP2)
Oct 6th-10th – Begin testing other effected platforms
Oct 10th-22nd – Fix developed and core baseline of testing completed (due to out-of-band release)
Oct 23rd – Patch pushed out through all update platforms (WSUS, Windows Updates, etc…)

The process of releasing this patch was compressed from a 2 month process into a 17 day process due to the severity. Despite this work, customers complained about the patch coming out-of-band. Microsoft rarely release out-of-band patches (In 2008 Microsoft only released 2 out-of-band patches).

Analysis showed that malware was exploiting this flaw beginning on 13/08/2008 – These were targeted attacks designed to drop TrojanSpy:Win32/Gimmiv onto the system. Data was then collected and sent to a server in Japan. Detection for Gimmiv was added into the MSRT tool in November.

After the patch was released more trojans began to use the exploit (Trojan:Win32/Wecorl, Trojan:Win32/Clort). The first worm using this exploit (Conficker) was seen on 21st November. The code used in Conficker didn’t appear to be linked to the earlier team who developed Wecorl/Clort.

The name Conficker was from a string found while Microsoft analyzed the original variant (Traffic-converter.biz).

Conficker B was less about exploiting vulnerabilities and more about testing company best practices (weak passwords, autorun, local administrative permissions, etc…)

Comparison between the various versions of Conficker.

  • Variant A – Spread only through the MS08-067 exploit
  • Variant B – Began to brute-force network shares, infecting network/removable drives, and using scheduled tasks to run the worm on remote machines.
  • Variant C – No new infection methods – Added P²P communications
  • Variant D – No infection required – distributed as an update to previously infected systems (B and C variants)
  • Variant E – No infection required – distributed as an update to previously infected systems (B, C and D variants)

It’s impossible for one vendor to do everything alone. Collaboration across the industry is vital in fighting people who distribute malware.

Around 100 people at Microsoft worked on the MS08-067 / Conficker problem between all phases of the incident. This raises an issue of scalability. If multiple issues like Conficker hit at the same time, then there may be problems handling the load (as yet untested).

16:00 INTERPOL Initiatives to Enhance Cyber Security – Vincent Danjean

Interpol was created in 1923 and is the worlds largest international police organisation with 187 member countries.

There were a lot of statics and information presented on success stories. I’d suggest taking a look at the slides as there is very little point in me reprinting the statistics and facts. The information is a little dry however. So you have been warned 😉

Well that the end of day 2. It’s been another long day. time for that beer…

I managed to have a long chat with Sherri Davidoff and Johnathon Ham today after the client-side attack workshop. Johnathon managed to finish the first exercise within a few minutes while most of us were still looking for the right PCAP file. His strategy for the analysis was so straight forward, but very effective for quick analysis of captures. I always enjoy talking to people smarter than me (it happens a lot) as I get learn something new. I’m looking forward to Sherri’s talk at Defcon as well. It sounds like it’ll be really interesting.

Tonight is the vendor showcase. Normally I shy away from that kind of marketing event, but they have beer 😉 Tomorrow I’ll be attending the volatility workshop held by Andreas Schuster (it’s going to be a day of fun playing in memory). So the blog might be a littler short tomorrow. Maybe that’s a good thing though. I talk too much…

Comments are closed.

%d bloggers like this: