DarkMarket.ws (known in carding, identity theft, and other black-hat rings) went “Dark” earlier this month. DarkMarket was widely known and respected among criminals as a forum for exchanging stolen banking data, credit card information, and other underground activities. What users of the site didn’t know was that the site wasn’t really hosted by Eastern-European hackers. Run from an FBI location in Pittsburgh PA, Agents of the National Cyber Forensics Training Alliance collaborated with industry professionals and graduate students for assistance tracing the identity and locations of criminals. The DarkMarket site was run primarily by agent J. Keith Mularski, under the handle ‘Master Splyntr’.

Reports leaked from Südwestrundfunk, a German radio station, revealed the FBI operation’s role in detaining a German card fraudster active on the site. In operation since November of 2006, DarkMarket was especially well known for English-speaking forums. Ironically, soon after DarkMarket’s launch in 2006, well-known hacker Max Ray Butler penetrated the site’s servers and found information revealing FBI ties. Butler’s claims to the underground were largely ignored; at the time, he ran a competing underground forum. As a result, most believed his claims false. DarkMarket successfully continued operations despite Butler’s claims.

Now that the site has gone down and the cat is out of the bag, numerous arrests are expected. This is a big win for the good guys. So far, 56 arrests have been made. We have a suspicion that others who may have conducted business at DarkMarket have not been sleeping too well, as additional arrests are expected.

In this case, the FBI got it right. It’s an impressive feat to penetrate the inner circle of these criminals.

ClickJacking has recently been getting lots of media attention. Security Researchers Robert Hansen (”RSnake”) and Jeremiah Grossman planned to give a talk outlining this vulnerability at OWASP AppSec, but the talk was cancelled. At this point, some details have come to light. The specifics of the attack may vary. Some variants require JavaScript, Flash, cross-domain access, IFRAMEs, overlays, or a combination of these.

The attack starts with a malicious web page that may have some unintended consequences. Objects embedded in the page may capture mouse clicks and direct them to a hidden target. Hijacked clicks from users may be used in many ways, including deleting mail, advertisement click fraud, or other, more sinister actions. A demo page demonstrating one possible variation (reads images from a webcam without knowledge of the user) can be seen at the following URL:

http://guya.net/security/clickjacking/game.html

Unfortunately, there is no quick and easy fix. Firefox users using the NoScript plugin will thwart the majority of these attacks (make sure you are using version 1.8.1.9 or later!). We will continue to monitor this vulnerability and provide an update when more information is available.

Greetings from sunny San Diego! The past couple of days have been an absolute blast. The folks at ToorCon have put together an awesome conference this year, including speakers from around the world presenting some cutting edge research.

Ben Feinstein and I attended a two-day “crash course” in penetration testing offered by Learn Security Online. Chris Gates and Joe McCray presented some excellent introductory material. They also included a few advanced evasion techniques that I hadn’t seen before. It’s always good to sharpen your skills.

During the Friday seminars, Jay Beale from InGuardians gave an overview of his man-in-the-middle tool, The Middler. He mentioned the code would be released Real Soon Now, so I look forward to a chance to play around with it. Jared DeMott, now at Crucial Security, also gave a rundown of reverse engineering using IDA Pro and the Immunity Debugger. I’m a big fan of Jared’s previous work with fuzzing.

The first day of the convention was pretty packed. Since I didn’t have the chance to attend Black Hat/Defcon this year, Dan Kaminsky’s DNS keynote and Alex Sotirov’s evasion of Vista’s memory protections were fresh and eye-opening to me. Ben also gave his talk about brute-forcing SSH sessions that use the broken Debian SSL libraries, the code for which is available as part of our open-sourced Snort plugins. Joe McCray also gave a good survey of various advanced SQL injection techniques; I really like his classification scheme for the types of SQL injection. Finally, Kurt Grutzmacher’s squirtle tool for obtaining and reusing NTLM hashes from inside corporate networks via XSS definitely proves that you must secure even internal Web applications.

Day two’s shorter format squeezed a lot more presentations in, but some of them kind of felt pressed for time. Marc Bevard showed how to crack DES passwords with the PS3, using some awesomely optimized code. Chema Alonso released a tool for downloading remote files via blind SQL injection. Dennis Brown presented some interesting new details on the Asprox/Damnec botnet, which we’ve covered before. The presentation on hacking telephone entry systems elicited a few chuckles, especially the “dial 333 for rickroll” segment. Stephan Chenette’s presentation on browser hooking is an excellent new technique for deobfuscating Javascript, like our Caffeine Monkey tool. I’ve been really impressed with the convention this year. ToorCon is big enough to attract some high quality presenters, but still small enough where you don’t get lost in the crowd. Hope to see everyone again next year!

At SecureWorks, we follow a Responsible Disclosure Policy. As such, when we find vulnerabilities in other vendors’ products or services, there is often a delay between the discovery and when we can publicly disclose the issue.

The following cryptographic hashes are related to a couple of disclosure processes I kicked off on Thursday, September 18, 2008.

File #1
MD5 b0625c8d39e3fcfaf51a577e310eb053
SHA1 0a8bdb073855eee0d31ff3afb081cf1d8d17c2bd

File #2
MD5 c74309900e7b11de5d7f211eb536cdb6
SHA1 99870aa6a0b4b33a88a2fbfd3eb83ce38bfbb7ce

Border Gateway Protocol (BGP), the high level routing protocol that figures out how to route packets between ISPs and other large Internet entities, has been seeing a lot of press recently. While BGP is vitally important to the Internet, it’s not often talked about in the mainstream press. However, two rather interesting security related issues have come up in the past few weeks.

First, there has been a lot of attention  on the BGP hijacking attack demonstrated at DEFCON 16 last month. It has long been known in network operations circles that nothing inherent in BGP prevents a rogue actor from announcing IP space they don’t own. Until recently this attack has been seen mostly useful as a denial of service attack. This is because once a rogue actor starts announcing the target’s IP space, they start receiving all traffic destined for the target. This makes it very obvious to the target that something bad  is going on. It is also easy to trace the bad actor because BGP records the path a route announcement took, including its point of origin.

However, Alex Pilosov and Tony Kapela’s DefCon presentation revealed a way to intercept traffic and then route it back to the target. As the victim continues to receive their normal traffic, there is no reason for them to suspect that something malicious is afoot. They also suggested ways to alter the TTL on diagnostic packets to cloak the hijacked route from  traceroute and similiar IP layer utilities. This means that the target would have to examine BGP tables to discover that their traffic has been hijacked. As most organizations don’t directly use BGP, this results in a pretty stealthy attack.

The other BGP related issue in the news recently is the depeering of Atrivo. BGP is designed to connect networks administered by independent, autonomous groups. This requires each autonomous system (AS) to connect to various peers (including a kind of paid peering known as a transit link - see this for more info) to maintain connectivity. A white paper was recently released by Jart Armin describing a large amount of malicious activity on a service provider network known as Atrivo. This included details on how the malicious sites have lingered on the network for years, despite being reported to the Atrivo abuse department. That report has been publicized in a variety of places, including the Washington Post.

This spawned a discussion on the North American Network Operator’s Group (NANOG) mailing list regarding Atrivo. A number of Atrivo’s peers have severed their connections with them, making it more difficult for them to route traffic. Despite the large amounts of information on the abuse coming from Atrivo’s network, a number of network operators expressed concerns. These included worries that one man’s malicious traffic is another man’s censorship,  copyrighted traffic, this should be handled by law enforcement, conspiring to keep the Internet clean may lead to legal liability, and an interesting discussion on if providers should have to prove the cleanliness of their networks.

By Hunter King & Nick Chapman

The saying goes: “What happens in Vegas stays in Vegas.” Well, apparently not during the week of Black Hat USA 2008. Black Hat is one of the world’s largest and most well known security conferences. Several members of the SecureWorks Counter Threat Unit^SM had an opportunity to attend and we’d like to share some brief highlights from a few of the talks.

There were many highly renowned speakers sharing their expertise, including our own Joe Stewart speaking about the Storm botnet. Informal conversations with other attendees were also extremely valuable. With all this knowledge and experience in one place, Black Hat really is like drinking from the InfoSec fire hose. We don’t want to keep you in suspense any longer, so here are a few samples from some of our favorite talks.

SQL Injection Worms for Fun and Profit

Readers of our previous blog postings will know that we, like many others, have been keeping an eye on the recent waves of mass SQL injection attacks (here, here, and here). Justin Clarke of Gotham Digital Science gave a turbo talk about this very topic. The main thrust of his presentation was that this is just the beginning. The current attacks, although widespread, are very limited in scope. The attackers are only targeting websites using Microsoft SQL Server for a backend database and only targets Microsoft ASP (and more recently Cold Fusion) websites. Once a website has been compromised, the payload is only targeting users who visit that site. Nasty attacks that could be on the horizon include privilege escalation / attacking the database host OS, attacking HTML Forms, scanning internal corporate networks / DMZs, and more. Today the attackers are using the Google search engine to identify potentially vulnerable systems and have successfully compromised literally hundreds of thousands of websites. It would be quite feasible to use Google search results to further refine their focus, generating a targeted attack against an entire business vertical or just a particular organization.

Get Rich or Die Trying - “Making Money on The Web, The Black Hat Way”

Jeremiah Grossman and Arian Evans gave a wonderful talk about real world ways to monetize attacks, both against technology and flaws in business logic (Arian’s other talk about encoding issues was also very interesting). What I found fascinating is how, as the amount of money involved increased, the amount of technical expertise required to pull off the hack decreased. The presentation started by talking about manually solving CAPTCHAs for profit. Initial offers were for $10 per 1000 CAPTCHAs solved, which works out to an income of about $50 a day. However, free market competition drove that price down to as low as $2 per 1000 CAPTCHAs.

Another example of ways hackers can make large sums of money that don’t require a high degree of technical sophistication was through information leakage. An Application Service Provider (ASP) which provided services to banks had been revealing sensitive information in an error message. Only three items of information were actually required to access an account through the ASP – a client identifier, a bank identifier and an account number.

These parameters were supplied via HTTP GET variables, easily modifiable by anyone with a web browser. If these three items didn’t match, the web application was kind enough to tell the visitor that “Account X belongs to Bank Y.” If a visitor used the correct bank identifier but other parameters did not match, the website would inform them you that “Bank Y belongs to Client Z.” The website was also only checking that a visitor was authenticated - it did not verify that the user was authorized to access a particular account. This could easily be exploited for profits in the tens or hundreds of thousands of dollars.

A third example requires even less technical expertise. A website featuring press releases (including profit and loss statements) would add press releases to their site ahead of their official release date — they just wouldn’t link them from the main page. However, the press releases were stored on sequentially numbered web pages, so it was a trivial task to identify and access a “hidden” press release. This would allow outsiders to have access to P&L information for publicly traded companies before the market closed. Hackers exploited this to earn over 8 million dollars on the stock exchange market.

The critical lesson here is that all avenues of attack must be considered. This is especially true when dealing with how the business logic is implemented at a technical level. This is very difficult to do, because it requires knowledge of the business processes and a grasp of some of the technical details that drive those processes. If you’re not aware of how these interact, rest assured that there are many people using your systems, and it only takes a single one having that “Eureka!” moment where they find a critical flaw. This can lead to financial losses in the hundreds of thousands or more. What’s even worse is that some of these “attacks” aren’t even illegal, not even in the United States.

Malware Detection Through Network Flow Analysis

The always entertaining Bruce Potter, founder of The Shmoo Group, gave a talk titled “Malware Detection Through Network Flow Analysis.” In it, Bruce emphasized the need to quickly detect compromised machines in order to minimize damage. Given the rate at which client-side attacks presently occur, compromise is, for many, inevitable. Quick detection of infections becomes an increasingly important tool in the defender’s toolkit. Bruce advocates analyzing network traffic data for statistical anomalies. For example, a desktop which sends out twice as much data as it receives is likely part of a botnet. Without NetFlow data (or similar), this infection may go completely unnoticed. Bruce also advocated including frequency distribution graphs alongside traditional time-based graphs as a method of quickly identifying potential network issues. Incorporating these techniques won’t stop the bad guys, but could greatly minimize the damage done once a compromise does occur.

Circumventing Automated JavaScript Analysis Tools

Billy “AJAX” Hoffman’s talk, titled, “Circumventing Automated JavaScript Analysis Tools,” focused on why current attempts to run malicious JavaScript within sandboxes are failing. With the increasing popularity of sandboxes, including SecureWorks’ own Caffeine Monkey, JavaScript-based malware is being forced to play “catch-up” with x86 malware with regard to sandbox detection. These techniques revolve around writing code which behaves differently in a browser than in a sandbox. Using the “quit” command within a try/catch block is a perfect example. This command, which does nothing when run from within a web browser, will exit Mozilla’s standalone JavaScript interpreter. Billy listed at least 20 pages of similar techniques (each needed to be coded for explicitly). Two main alternatives exist:

1) Analyze malware using a real browser within a VM. JavaScript can tell when being run from within a sandbox, but not while running in a real browser in a VM.

2) Modify the Mozilla JS interpreter to run in headless mode. This would break the majority of Billy’s attacks, and raise the bar significantly for malware authors. The analysis needed to detect this form of inspection would be easy to identify and evade.

UPDATE: The Boston Herald is now reporting that in today’s hearing (8/19/08), Judge O’Toole has rejected the MBTA’s request to impose a five month injunction. The temporary restraining order expired at earlier today. The MIT students are no longer subject to any judicial orders restraining them from speaking about their research.

On Thursday August 14th, 2008, there was another hearing in the dispute between the group of MIT students and the Massachusetts Bay Transportation Authority (MBTA). Judge O’Toole decided to allow the temporary restraining order which prevented the students from giving their presentation titled “Anatomy of a Subway Hack” or to discuss related information to stand without modification. The next hearing will be on Tuesday when the temporary restraining order expires. It seems likely that the MBTA will then ask for a more permanent injunction.

During the emergency hearing on Saturday, August 9th, the Electronic Frontier Foundation (EFF) providing counsel for the students argued that a temporary restraining order of this kind imposed prior restraint upon their speech. A party seeking prior restraint of another’s speech is considered to have a very high burden to prove that they are not unduly burdening the other parties freedom of speech. The most famous case involving prior restraint is New York Times Co. v. United States, better known as the Pentagon Papers. In this case the Supreme Court found that the Government’s interest in restricting the publication of classified material was not sufficient to trump the New York Time’s 1st Amedment rights. The material in question described the Government’s actions in Vietnam, while American soldiers were still fighting in the region. Subsequently the courts have stated that only the most important of government needs, such as revealing the location of our troops in the field, would allow prior restraint. It would not seem that the possible harm of informing people how to get a free ride on the subway would rise to that level.

How is it then that the MBTA was able to obtain a temporary restraining order preventing the students from speaking? Judge Woodlock, the judge who presided over the emergency hearing on August 9th, interpreted the Computer Fraud and Abuse Act (CFAA) to mean that the students, while giving a talk at Defcon and/or making software available for download, could be in violation of the CFAA. Specificly the clause that criminalizes anyone who “knowingly causes the transmission of a program, information, code, or command and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”. The Judge’s interpretation is that the talk constitutes transmitting information and that if after the talk any of the attendees then damage the MBTA by bypassing the fare system, this counts as damage.

The EFF, needless to say, disagrees. The EFF argued that in the CFAA transmission means transmitting information to a computer, not a person (otherwise the statue would infringe upon the 1st Amendment and in other paragraphs uses the term communicate to refer to giving information to a person). The EFF also argues that the damage must occur as a direct result of the transmission of the information / code. They say that if someone else later commits a crime based upon information you transmitted to them, the link between the action and the damage is too attenuated to be combined into a violation of the statute. It also seems that according to the EFF the damage must be to the computer system, or damages associated with downtime or cleaning up after an incident. There are other provisions of the CFAA that cover stealing information and unauthorized access with intent to defraud. However they do not seem to apply in this case and are not the provisions the judge relied upon when he granted the temporary restraining order. The CFAA, although a criminal statute, allows people to bring civil action to recover damages incurred from violating the statute and to ask the court to enjoin continued violation of the statue.

The free speech issues the EFF raised at the emergency hearing on Saturday, August 9th were not addressed at that time, but the MBTA did mention them in their brief for the August 14th hearing. The MBTA first called the MIT students’ speech an incitement to a crime, and second stated that: “The Individual Defendants’ DEFCON presentation constitutes commercial speech. Commercial speech is any speech that proposes a commercial transaction. As commercial speech advertising illegal activity, it receives no First Amendment protection. Here, the Presentation is full of marketing, and self-promotional statements. It is not a research paper. [Plaintiff’s Opposition to Cross Motion for Reconsideration of Defendants]

I have not heard a recording of the hearing on the 14th, however I’m sure the EFF would take the position that the students’ paper was academic research, which is fully protected by the 1st Amendment. The paper was written while the students were attending one of the most prestigious engineering schools in the world, it was written (and turned into a talk) under the guidance of the extremely well known and respected Professor Rivest (the R in RSA) and then was intended to be presented at a computer security conference. The EFF also submitted as evidence a letter from 11 professors and industry professionals detailing the dangers of preventing this kind of research from being made public.

The other interesting aspect about this is that the MIT students provided a confidential vulnerability assessment of the fare system to the MBTA. The students stated that this document contained more detailed and potentially damaging information then they intended to give at their Defcon talk. The MBTA submitted this document as evidence in the court hearing and in doing so it became part of the public record. The EFF advised the MBTA of the dangers of this, and suggested that they take emergency action in sealing the information so as to prevent it from becoming public. It does not appear the MBTA took any action to prevent this from happening.

This raises many questions in my mind. If we were to look at the MIT students’ conduct in the worst possible light, it is that they wanted to provide details of security flaws to a large group of hackers with either the intent or reckless disregard to the fact that some of the attendees would use this information to evade paying fares at the T. The MBTA calls this commercial speech and an incitement to a crime.

According to the MIT students, the MBTA provided substantially the same or more information to the public in the form of a court filing. What is the difference between these two? What makes one actionable under the law and not the other? Is it the substantiative information about the security flaws? Is it the location and audience that makes the difference? There was a presentation on the Mifare card (the same card used by the T) security at Blackhat that went on without a legal challenge. There was a legal action brought against a university in the Netherlands to attempt to prevent them from publishing similar Mifare research, but a Dutch court ruled in favor of the university.

If the students had presented this same information in an academic journal or a more academic sounding (as opposed to the scary sounding, hacker infested Defcon) conference would that have been ok? Or was it the provocative language in the students presentation? They did use phrases like “Want free subway rides for life?”, “This is illegal - for educational use only” (the judge in the emergency hearing found this phrase to be tongue in cheek and offensive), and “Is this hackable? Yes!”. Or is it motive that makes this speech possibly unprotected? Is the difference that the MIT students wanted to encourage others to break the law and that the MBTA is just trying to educate the court? Can the aforementioned choice of venue, audience, and tone of their speech be seen as sufficient to indicate that their motive is to incite others to violate the law?

I’m not a lawyer, so I can’t speak authoritatively on what speech is protected under the First Amendment. However, it seems that it is the tone of the students speech more than the technical content that is causing (or exacerbating) their legal problems. Unfortunately I’ve found in looking into other caes that it seems that when faced with complex questions of technology and law, sometimes judges will fall back to one of the more classical elements of crime - motive.

If the defendant seems to have had malicious intent, then he likely violated a law. For example, in the David Ritz case I blogged about earlier, one of the findings was that, “The Court finds by clear and convincing evidence that Ritz is guilty of actual malice. Sierra is entitled to an award of exemplary damages for the sake of example and by way of punishing Ritz.” Ritz may have harbored malicious intent towards Sierra (Ritz alleges that Sierra is a spam house), but is that the key point that should make his DNS zone transfer unlawful? Is it right to punish one person but not another for obtaining the same publicly available information simply because their motives differed? Likewise, should the MIT students be stopped from sharing their research because of the admittedly juvenile and offensive manner in which it was presented. I don’t agree, but instead of suggesting a way to deal with these questions, I’ll end with a quote from Justice Black’s opinion in the Pentagon Papers case “The word ’security’ is a broad, vague generality whose contours should not be invoked to abrogate the fundamental law embodied in the 1st Amendment.” [New York Times Co. v. United States]

SecureWorks follows a responsible disclosure policy when discovering a vulnerability. It can be found at http://www.secureworks.com/research/disclosure.html

Now that I’m back from Las Vegas and have had a week to dig out from under email and work tasks, I’d like to share a short post-con wrap-up.

The Black Hat Briefings 2008 were a good time. Just as important as the briefings, I had a lot of fun meeting new people, seeing old friends, and networking with others in the security community. Our industry is really based on trust and trusted relationships, so I always try and get out and mingle at the con.

Both of my DEFCON presentations seemed to be really well received. I was surprised with the large turnout Friday 10am for my web application firewall (WAF) talk, given that my slot was competing directly with the Dark Tangent’s annual DEFCON keynote and Joe “Kingpin” Grand’s talk on the making of this year’s badge. There were a few good questions, so at least someone was awake and paying attention.

My Friday afternoon talk on Snort plug-in development was very well attended. A group of Sourcefire employees were filling out the front row. They didn’t throw any rotten vegetables at me, so I figure I did alright.

Updated presentation materials should be getting posted to the DEFCON site soon. Here are links to the slides for my WAF talk, and slides for my Snort-plug-in development talk. I’m busy adding to my Snort preprocessor for weak SSH2 Diffie-Hellman Group Key Exchange, and should be releasing some new code released in the next few weeks.

I’ll be delivering two talks at DEFCON 16 in Las Vegas this Friday, August 8th. My first talk, The Wide World of WAFs, covers web applications firewalls and some PCI DSS background. In talk that afternoon, Snort Plug-in Development: Teaching an Old Pig New Tricks, I’ll be releasing GPL licensed Snort plug-ins for ActiveX control detection and for detecting OpenSSH clients and servers using a broken Debian OpenSSL PRNG.

I hope to see some of ya’ll out in Vegas!