Anti-Debugging Series - Part II

Welcome back to the series on anti-debugging. Hopefully you have your debugger and development environment handy as we are about to dive into the first round of anti-debugging code. In the first post to this series we discussed six different types of anti-debugging techniques that are in common use today. To refresh, the classifications buckets that we chose to use are: API Based Anti-Debugging Exception Based Anti-Debugging Process and Thread Block Anti-Debugging Modified Code Anti-Debugging Hardware and Register Based Anti-Debugging Timing and Latency Anti-Debugging Basic API Anti-...

Read More

Major Break in MD5 Signed X.509 Certificates

Jacob Appelbaum and Alexander Sotirov just gave a presentation at the Chaos Communications Congress in Germany. They have implemented a practical MD5 collision attack on x.509 certificates. All major browsers accept MD5 signatures on certs even though it has been shown to have the collision problem for almost 2 years now. If you can generate your own X.509 certificates you can perform perfect MITM attacks on SSL. They went one better and generated an intermediate certificate authority certificate so they could sign their own certificates. This way they only need to do the attack once and can...

Read More

SQL Injection Tangos with Heap Overflows

And the results are not graceful. Unless you have been living under a rock you have heard about the latest Internet Explorer 7 unpatched vulnerability. If you browse a web site that has been modified to contain malicious JavaScript it will download malware to your Windows machine. I first caught wind of it over the weekend when a friend said he was browsing a legitimate training web site when suddenly he saw his Internet Explorer status line change to, "Databinding...". That will make your pulse quicken. AV was useless in stopping the attack. Attackers have been finding web sites that have...

Read More

Anti-Debugging Series - Part I

For those that don't know, anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target process. Typically this is achieved by detecting minute differences in memory, operating system, process information, latency, etc. that occur when a process is started in or attached to by a debugger compared to when it is not. Most research into anti-debugging has been conducted from the vantage point of a reverse engineer attempting to bypass the techniques that have been implemented. Limited data has been...

Read More

News Report on Non Vulnerability in Windows Vista

Are editors so excited to use the headline "Vulnerability in Windows Vista" in their SEO URLs that they will have their reporters write a story on a non-issue? IDG News has published a news report titled, "Researchers find vulnerability in Windows Vista". The report says: An Austrian security vendor has found a vulnerability in Windows Vista that it says could possibly allow an attacker to run unauthorized code on a PC. The problem is rooted in the Device IO Control, which handles internal device communication. Researchers at Phion have found two different ways to cause a buffer overflow...

Read More

Credit for Researchers

Computer security researchers are much like scientific researchers in several ways. We build on the research of those who come before us, we sometimes rediscover the same things independently, and other times we forget where we learned things and sometimes claim them as our own. We also occasionally take an engineer's approach and implement research discovered by others and not credit them as it's the implementation into a tool that matters to us. The latest Microsoft patch MS08-68 is a great example. It is a problem with NTLM authentication where the attacker can force a client to...

Read More

Microsoft Fixes 8-year Old Design Flaw in SMB

With regard to the recent Patch Tuesday fix, there has been an issue fixed regarding NTLM Relaying, that has been around for more than eight years. In 2000, I wrote an advisory about NTLM relaying (CVE-2000-0834). The problem turned out to be significantly larger than I originally suggested in the advisory. The attack extended to other NTLM-based authentications on other protocols and allowed general-purpose credential theft via a man-in-the-middle attack. The SMBRelay tool was published in 2001 by Sir Dystic of Cult Of The Dead Cow, and that really took it to the next level. The protocol...

Read More

US Government Detects Attacks on Obama and McCain Computers

Now that the presidential race is over Newsweek is reporting that the US Government, through the FBI and Secret Service, notified the Obama and McCain campaigns that their computers had been compromised and sensitive documents copied. ...the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system." The following day, Obama campaign chief David Plouffe heard from White House chief of staff Josh Bolten...

Read More

We’ve Reached the Application Security Tipping Point

It’s been a long road since the early 90s when people first started public sharing of vulnerability information. Back then there were flat LANs, no network filters, and world writeable NFS mounts hanging out on the Internet. But with the spread of vulnerability information it all started to change. The first major shift in exploit targets was the move from network vulnerabilities to system vulnerabilities. As organizations got better at firewalling, using switch technology and encryption, attackers started exploiting misconfigured hosts. The major second shift to operating system code level...

Read More

Credit Cards Failing Open

Most consumers are aware that when you close a credit card account, it's not really closed. For "convenience" reasons, recurring subscription charges such as your cable bill will continue to be approved. You can kind of see where the credit card companies are coming from, but it's a pretty weak argument. The cable company just needs to notify me that the credit card on file is no longer valid, and I'll update my information. Problem solved. But that credit card weirdness is nothing compared to the one I'm about to describe. Before we do that, let's take a moment to discuss the design...

Read More

Pages