Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

21st FIRST Conference – Day 3

Today’s big thing is the Volatility training from Andreas Schuster. I’ll be trying to attend some talks after the workshop is over were possible.

09:00 Attacks Against the Cloud: Combating Denial-of-Service – Jose Nazario

Cisco anticipates that 90% of bandwidth usage will eventually be used for video services. Historically the Internet has been a nice to have. As services such as communications move to the Internet it becomes a need to have. Availability and quality of service becomes more of a serious issue. Telephony services are a key point. People need to communicate, especially in the event of an emergency. 911 emergency services need to be available all the time.

The generic definition of the cloud – “If somebody elses stuff breaks, your business grinds to a halt”

Internet attack sizes have grown from 200Mbps in 1999 (based on code-red traffic levels) to 50 Gbps in 2009. The trend appears to be a doubling of attack bandwidth year on year.

Historical effects of Denial of Service attacks

  • 1999 –> Routers die under forwarding load
  • 2002 –> Servers die under load
  • 2005 –> Renewed targets in infrastructure (DNS, peering points)
  • 2008 –> Web services

Service providers are now able to cope with the attack traffic. In turn this has caused the problem to move on to the customer. With the event of caching servers and load balancers the attackers have moved to use methods designed overload backend servers with hard to resolve requests. This bypasses the protections put in place in most organisations.

The change of Denial of Service from fun to criminal

  • 1999 –> IRC wars to lead to widespread adoption of primative DoS/DDoS tools
  • 2001 –> Worms: Code Red, Nimda, SQL Slammer
  • 2004 –> Rise of the IRC botnets: Online attacks go criminal
  • 2007 –> Estonia attacks cause governments around the world to worry about cyberwar
  • 2009 –> Iran election results lead to DDoS, Twitter, etc…

Providers have responded by protecting their own infrastructure and using manual blackhole routing as a protection measure (2001). Providers then start to offer DoS protection as a service to customers using BGP injections (2003). Finally providers begin protecting key converged services such as VoIP and IPTV using multi-GBbps inline filtering (2007).

09:30 I am a Kanji: Understanding security one character at a time – Kurt Sauer

Teaching somebody about security is not unlike teaching somebody how to understand Japanese kanji. There are around 50,000 kanji, and they can have multiple definitions. Not an easy task.

Great presentation. I’d suggest looking at the slides/video to get the full effect. Nothing ground breaking, but definitely worth the time.

11:00 Windows Memory Forensics with Volatility – Andreas Schuster

Like yesterday, this is more of a workshop than a presentation. I’ll post up any links / information that might be useful however. You can find the slides and workshop information (along with other good information) on Andreas’ blog

Part 1: Refresher – Memory Fundamentals, acquisition, kernel objects, analysis techniques
Part 2
: Using Volatility – Volatility Overview, analysis w/ Volatility
Part 3: Programming – Developing plug-ins for volatility

PART 1: Refresher

Live Response

  • Focus on “time”
  • Acquisition and analysis in one step
    • Untrusted environment
    • Not repeatable
  • Tools tend to be obtrusive

Research from Aaron Walters and Patroni (2006) that details the percentage of RAM changed when a system is in idle state and during a memory dump –> Blackhat DC presentation from 2007 details this information. Research shows that 90% of freed process objects are still available after 24 hours of idle activity.

Focus of live response is on Main memory, Network status and Processes. When performing memory acquisition, Installing agents prior to the incident can help to minimize the impact.

Expert Witness Format – Used primarily by Encase. libewf project – Joachim Metz (http://sourceforge.net/projects/libewf/)

powercfg /hibernate on” –> Enables hibernate from the command-line on Windows systems. More information on the powercfg command can be found on Microsoft Technet.

Basic memory analysis: piping memory through strings and looking at interesting results. –> Remember to set ASCII/ANSI and UNICODE

  • Many false positives
  • Memory is fragmented
  • Conclusions hard to form (hard to prove connections between strings, discoveries might be mis-leading)
  • Obfuscation

List walking: Find initial pointer and traverse the doubly linked process list –> Applies to single lists and trees

  • Easy to subvert (anti-forensics)

Scanning: Define signature and scan the entire memory for a match

  • Slow
  • OS dependant (patches can break things)

There are also a number of hybrid methods used.

PART 2: Using Volatility

Originally developed in 2006 as a tool called FATkit. This was then used as the basis for VolaTools in 2007. The VolaTools project was transferred to Microsoft through a company buyout. The project was restarted and completely reprogrammed at  an open-source project – Volatility

SVN version is available from http.//code.google.com/p/volatility/

Standard options for Volatility are .:

-h, –help            show this help message and exit
-f FILENAME, –file=FILENAME (required) XP SP2 Image file
-b BASE, –base=BASE  (optional, otherwise best guess is made) Physical offset (in hex) of directory table base
-t TYPE, –type=TYPE  (optional, default=”auto”) Identify the image type (pae, nopae, auto)

For help on specific functions, volatility <function_name> -h

http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins contains a list of published plug-ins for the framework

A number of functions within Volatility have been updated to improve speed and reliability. An example of this is the thrdscan/thrdscan2 function. The updated versions usually run faster than the original versions. It may be best to check the output between the older/newer versions to ensure that you are receiving consistent output and not any false positives/negatives.

volatility modules -f <memory_dump> –> outputs a list of loaded modules (driver files). The modscan2 function will give a more comprehensive list of loaded (and previously loaded) modules (if the metadata is still present in memory). The moddump function can be used to extract a module from the memory dump for further analysis.

Using scanning modules is very helpful as it will reveal information on not only what was loaded at the time of the memory dump, but also scan the entire memory for any matching signatures of what may have been loaded/unloaded prior to the dump. This is the case for not only modules, but also processes as well.

The pstree plug-in is useful to output a process tree (ASCII style).

However not all processes are listed. By using pcscan2 with the “-d > output.file” option you can create a file that can be opened in ZGRViewer. This shows a full graphical output of the process list including start and end-time of each process. ZGRViewer also offers very helpful search functionality to help find processes within the tree.

By finding the PID of a process you can then use the files, and dlllist to find the open files for the process in question. By running getsids you can examine what account started the process, as well as information on if it was interactive or not. You can also use the regobjkeys to examine what was in use within the registry by each PID. By running the procdump function (with the PID of the suspicious executable) you can extract the process into a file for further examination.

Examine open connections and sockets is also simple. Volatility has the connections function (along with connscan/connscan2) and the sockets function (along with sockscan/sockscan2). These functions will output the PID of the creating process so it can be mapped back to processes discovered in the process listing performed earlier. As with a majority of the scanning functions, they may find information on sockets/connections that existed, but were no longer open when the memory dump was performed.

As part of the VolReg plug-in you can also output things like the LSA secrets, as well as password hashes. These rely on information form the hivescan/hivelist functions. Performing the hashdump is something that’s been covered before on various blogs. If you want a rundown of how to perform a complete dump of password hashes, I’d suggest checking out Chris Gates’ post on the carnal0wnage blog, or the forensiczone walkthrough.

Some interesting plug-ins to explore –> cryptscan (to search memory for Truecrypt passwords), malfind (to search for possible injected code), dmp2raw/raw2dmp (for converting formats — Crash Dump format).

This was a great workshop. I’d love to have spent longer going through things. However the point was to demonstrate how to use the Volatility tool and not to teach n00bs like me how to do proper analysis. I’ll have to take the time to run through the examples and slides again to really get to know the process fully.

16:00 Incident Response and Voice for Voice services Lee Sutterfield

Protection of dedicated VoIP services by using a specifically designed Voice Firewall alongside existing firewall technologies. Unlike a normal IP-based firewall, a Voice Firewall is designed to restrict the actions of a user within the policy of the organisation. This includes restrictions such as limiting the destination of dialling from specific extensions (block long distance, international), limit on the time and duration of calls. It also offers the ability to restrict incoming calls to prevent access to dial-up services from unwanted numbers. This can be implemented to prevent war-dialling attacks by restricting based on the source of the call and pattern of inbound calls.

A Voice Firewall is primarily designed to prevent things like toll fraud instead of defending the system from attack. It also offers better visibility into the usage of your voice network and provides alerts when certain trigger levels are exceeded.

Another usage of Voice Firewalls is blocking calls to prevent crank calls, or active war-dialling attempts. Any calls from this number are then blocked and the attempt is logged. Using this technology it is possible to protect against / log attempts of vishing attacks.

Voice Firewalls can be used to assist with the following security points .:

  • Unauthorised modems
  • Remote access (modem) attacks
  • Phone service misuse
  • Toll fraud
  • Harassing/Threatening calls
  • Malicious software (triggering calls to pay numbers)
  • Vishing attacks
  • Denial of Service (against VoIP services)
  • Bomb threats (call  recording)
  • Improve voice uptime
  • Stop data leakage
  • Reduce telecom total cost
  • Baseline/plan/optimize (new VoIP deployments)
  • Policy driven call recording

Voice Firewall technology address age old vulnerabilities and lock-down mechanisms. This increases your ability to provide improved incident response and preventative services to the enterprise as well as via Managed Security Services for Voice (MSSVs).

Well we”ve hit the mid-point of the conference. It’s been great so far. Tonight we have the FIRST conference banquet. Hope they have sushi else there might be a riot 😉

One response to “21st FIRST Conference – Day 3

  1. Pingback: Twitted by workshoptalk

%d bloggers like this: