Monday, June 29, 2009

Mark Russinovich's sysinternals tools come in very handy. A recent post over at the sunbelt blog shows that all of the sysinternals tools are easily accessible from the command line and even windows explorer. Below is an example of me testing this out:


pslist v1.28 - Sysinternals PsList
Copyright ⌐ 2000-2004 Mark Russinovich

Process information for CONDORMAN:

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time
Idle                  0   0   2    0      0     0:31:10.187     0:00:00.000
System                4   8  66  840      0     0:00:21.000     0:00:00.000
smss                644  11   3   21    172     0:00:00.015     0:19:50.041
csrss               872  13  12  824   6788     0:00:54.265     0:19:47.322
winlogon            896  13  18  523   6576     0:00:01.734     0:19:47.057
services            940   9  16  345   1812     0:00:07.484     0:19:46.291
lsass               952   9  22  466   4364     0:00:02.656     0:19:46.260
svchost            1112   8  18  226   2772     0:00:00.171     0:19:45.135

Tuesday, June 2, 2009

Client Fingerprinting

At my current job, I do a lot of programming with Flash (Flex, actually), as well as and similar platforms. I am constantly working on and debugging the web-apps I manage and develop. I have a debug flash player installed on most of the browsers I surf the web with, as well as numerous browser add-ons/extensions that help with development. I've been wondering lately if I should be more careful about the signature my browser creates.

A few weeks ago, I had a rather disconcerting thought that attackers might specifically target web developers for client side attacks. Who else would be a better target? Of all employees in a company, developers are probably given the most rights/permissions when they actually don't need them to get the job done. Also, developers require access to databases and test and production systems and are given more leeway than most.

One might ask: "Why would a developer as a potential target be preferred over someone else, such as a network admin, who also has access to critical systems?"
  • First, typical web developers are easily distinguished from normal traffic on a web site through information that is available from the browser, whereas system admins usually don't carry such an obvious signature when surfing the web.
  • Second, occasional erratic computer/browser behavior is something developers are accustomed to and is something those who work with the developers could easily explain away and dismiss.
  • Third, many web developers are not focused as much as they should be on the security of their apps, let alone their own personal security when they develop web applications.
  • Fourth, sites commonly visited by web-developers are easily identified. Sites (forums especially) that contain walkthroughs and tutorials for certain technologies and practices would most certainly be visited frequently by developers.
By targetting web developers, attackers would be able to focus their efforts on clients who have a greater potential for a good pay-off.

There are several applications that need special "debug" versions of a program to be installed in order for the developer to debug his applications. The foremost in my mind is the Flash Debug player. The Flash Debug player is very easily detected. It obviously has more functionality than the normal player, possibly additional functionality that has not been tested as well as the normal Flash Player's basic functionalities. The Flash Debug Player allows a debugger to connect to the loaded swf and step through the execution line by line. What were to happen if a malicious swf with additional debug information were loaded into a debugger? Although not very likely, it is something to think about, especially when several apps found online automatically display the "Connect to Remote Debugger" dialog when a Flash Debug player is installed. Also, since a debug flash player is so easily detected, it would be yet another easily obtained signature that would flag a user as being a developer.

Here are some common and basic "signatures" that I have come up with that should flag a user as being a web developer:
  • Firebug Extension/Add-on
  • Debug Flash Player
  • Web Developer Extension/Add-on
  • User Agent Switcher Extension/Add-on
  • Tamper Data Extension/Add-on
  • Codetech Extension/Add-on
  • Greasemonkey Extension/Add-on
  • Colorzilla Extension/Add-on
  • MeasureIt Extension/Add-on
  • Hundreds of others...
As to whether or not all of these can be detected on the client side still remains to be seen, although many of them already can be. (Firebug can for sure -- POC - open up gmail and turn on Firebug. Gmail should tell you that firebug slows Gmail down).

Also note that the general idea of fingerprinting clients through readily available information can be used not only to detect the presence of a web-developer, but also possibly to determine how "savvy" the user is with computer technologies, and to detect other "classes" of users (network admin, n00b, old person [?], hacker, teacher, designer, etc.).

Knowledge is power.

Monday, June 1, 2009

Cyber Force Cybercom

Over at TaoSecurity, a post was put up that talked about President Obama's "real" speech addressing cyber security. I started reading it and thought "Holy cow! This is awesome!" I got way excited and started writing up my thoughts on the creation of a Cyber Force branch of the military that was mentioned. After I had written down most of my thoughts, I saw a note at the bottom of the post that says
"Note: If you read this far I am sure you know this was not the President's "real speech." This is what I would have liked to have heard."
I decided to write up the rest of my thoughts on the matter. I kept my original excitement in as well :) Now on to my "real" post:

ps- I've run across an article that talks about a new "cyber command" that will be coming into play. Below are links to that article and other similar ones that seem to support this idea:

pps- Well, it's finally happened! I'm a little delayed putting this in here, but here it is. Defense Secretary Robert M. Gates has created a new command called Cybercom that will defend our networks at home and develop offensive weapons. An article at the Washington Post talks about it more.

President Obama gave a speech on cyber security last Friday. TaoSecurity had received a hard copy of the President's prepared remarks sometime before he actually gave his speech. At one point during his speech, he went off of what had been prepared (here's what he actually said). TaoSecurity made a post that talked about the things President Obama didn't say that were in his prepared speech. One of them is this:

"We will instruct the Secretary of Defense to examine the creation of a Cyber Force as an independent military branch. Just as we fight wars on land, at sea, and in the aerospace domains, we should promote warfighters thoroughly steeped in the intricacies of defense and attack in the cyberspace domain. We will also make it clear to our national adversaries that a cyber attack upon our national interests is equivalent to an attack in any other domain, and we will respond with the full range of diplomatic, information, military, and economic power at our disposal."

How cool is this?!?! This is actually something I've been thinking about and hoping for for quite some time. I've often wondered when the government would get around to thinking along the same lines. Creating another branch in the military whose area of expertise is cyber warfare will have a massive influence on our culture and perspective pertaining to computer security. Below is a list of several ways I think the US and the world will be influenced:
  1. Increased Awareness
    War hasn't changed too much over the years. Our troops muster up courage and travel to where the enemy is and show them who's boss. The front-lines of war seem to have remained away from our homes and daily routines. Until recently, that is. Our computer networks and digital infrastructure are increasingly becoming the targets of attacks from enemy nations. Speaking of this at such a high level doesn't quite carry across the potential impact that exists. Consider the following:

    Most people have a bank account. In the days before most banking was done online, it was necessary to physically go to the bank to withdraw/deposit money (who would've thought?) Imagine one day going to your bank, and the bank is gone, vanished. It was there the day before when you drove by, but now it is gone! All that exists where the bank was is a big black hole, or possibly a poster made with butcher paper and paint containing offensive reasons to fight against democracy. You try calling the bank, but you can't get through. You try purchasing a few items with your debit card, but the transaction fails. This is one thing that could happen if only our banks became the focus of attacks from enemy nations. Such an attack would affect each of our personal lives to an intense degree.

    The creation of a Cyber Force as a new military branch will pull cyber security into the lime light. The public should be made aware of why a new military branch is necessary and will come to realize how critical our digital infrastructure is. The public could be made aware through free programs and/or public demonstrations. The public demonstrations could demonstrate on a personal level how much we depend on our digital connections and how much an attack on them would affect us. I believe such demonstrations coupled with additional opportunities to learn would be most effective at informing the most people. This increased awareness will be the main impetus for the other points below.
  2. Digital Infrastructure == Mere Commodity National Asset
    The increased awareness described above will cause people to realize how vital our digital infrastructure is. It will begin to be viewed not only as a commodity and something nice to have around, but as something that is absolutely necessary for our nation to function in its current state. Hopefully, we will begin to not take it for granted and will view it as a national asset that we need to protect. We will become aware that it is one of our nations largest vital organs.
  3. Coding and Network Standards
    Contractors who create or offer products and services to the military usually must meet a much higher standard than the private sector's standards before their product/service will be considered or used. Their products/services will be on the "front-line" and will probably have to hold their own against enemy attacks of some kind. Other assets will depend on the functionality of this product to complete their missions. The failure of one product/service will drastically affect the outcome of the current mission and the integrity of the "team".

    As we become more aware, we will realize that our digital infrastructure is part of our front-line and is not being held to the same standards as our products/services on the traditional front-lines. Hopefully, we will realize that a lapse in security of one product/service will almost certainly affect the integrity of another. I believe that new forms of coding standards will be introduced, along with a way to enforce/regulate the type of code/network/service that is put on our "front-line".
  4. Increased Funding/Opportunities for Research
    With the creation of a new branch of the military, the government will be looking for companies to place bids on projects they need completed, and companies will be looking to meet the new demand for security solutions. More companies will enter this market and each of those companies will need their own security professionals and researchers. I believe this market will grow much larger than it currently is.

    The creation of the Cyber Force could also actually start a new "arms" race. This arms race would occur both inside the U.S. as competition between research groups and companies, and between the U.S and other countries. Research groups at Universities would also receive more funding to further our defensive and offensive technoligies in the field of cyber security. The new Cyber Force branch would need to have its own research teams and divisions as well.
  5. Additional Education/Development Programs
    Similar to how ROTC programs work with other branches of the military, I can easily foresee ROTC (or Cyber Force specific) programs being implemented. High-school and college students would jump into these programs headfirst and would enjoy it tremendously. These programs would have high enrollments, for everyone who likes computers at least secretly wishes they knew more about computer security and what is possible. The development programs would also have a very high retention rate, because of the nature of the subject matter itself. The courses would also have a high retention rate especially because those enrolled in them would most likely not be exposed to physical danger should they continue into the Cyber Force. I know if I were given such a chance to formally be taught about cyber security when I was in high-school with the possibility of being a professional in that field in the military, I would've jumped at the chance. I still would, actually.

    Few universities have majors that have an emphasis on Information Assurance/Computer Security, and even fewer have majors in this field. I believe higher education institutions would experience an increase in the number of students who are interested in computer security. This would spur the universities on to develop full programs centered on computer security, possibly with the creation of new majors and/or graduate degrees.

In my opinion, this is an EXCELLENT idea. I literally can't wait to see what comes out of this. I think it has the potential to be something amazing.

Thanks for reading!