Inside Security

Research PhD Studentship

February 11th, 2010

Network Attack Impact Analysis and Counter Measure Deployment via the Application of Behavioural Engines

University of Glamorgan - Faculty of Advanced Technology
Programme of Research:

Behavioural engines are a new and more effective approach than the traditional, large, rule-based engines. In particular they are far more effective at eliciting tacit knowledge and maintaining internal self-consistency, which in turn produces a system that is easier to adapt as systems change. This makes behavioural engines an attractive proposition for analysing CNA, as attacks are becoming more complex and are continually adapting. However the application of such engines to this area has not been researched. Instead basic rule-based systems is the nearest available technology.

The aim of this PhD project is to research the basic methods by which such engines can be applied and based on the best of those methods examine the feasibility of real-time computer network attack impact assessment and response being performed via the application and extension of a multi-attributed based heuristic behavioural engine.

This PhD project will seek to create a system that is capable of receiving computer network defence and computer network management data in real time and perform an impact analysis calculation of for the selection and deployment of a policy driven security countermeasure via the Application of Behavioural Engines. Thus the goals are:

•To extend the core behavioural engine to support the policy-directed assimilation and analysis of multiple data sources across multiple security domains.
•To utilize a policy engine for the selection and deployment of security countermeasures across multiple security domains.
•To validate the feasibility of such an approach will via the construction and execution of a proof of concepts demonstrator.
Please note: the studentship is open to persons holding UK/EU passports only.

Applications are invited, from highly motivated individuals with a good first degree in a computing related degree (2.1 or higher), for a full-time PhD position in the Faculty of Advanced Technology at the University of Glamorgan. Relevant subject expertise in computer network attack / computer network defence / behavioural engines would be beneficial, but not required. The student will be required to undergo a UK government security check.

A bursary amount of £13,290 (tax free) and UK/EU fees will be paid.

The closing date for applications is 19th February 2010 and interviews will be held on week beginning 22nd February 2010.

Contact details
Name: Dr. Huw Read
Address: Faculty of Advanced Technology, University of Glamorgan, CF37 1DL
Telephone: 01443 654287
Email: isrg [at] glam.ac.uk (replace [at] with @)

Original reference: http://www.jobs.ac.uk/job/AAQ821/research-phd-studentship/

Posted by Konstantinos Xynos | 0 comments | Tagged with network, phd, security, studentship

Decaf COFEE put me to sleep

January 4th, 2010

Decaf[1] is the hackers reply to Microsoft's COFEE tool set. Once again creating a tool to combat a set of tools as old as Sysinternals is nothing new or surprising. If it did not happen we would have been surprised.

Unfortunately (and thank god) systems are open and when they are closed (-source) people can still reverse-engineer and break them. This is the nature of the system, be that a PC, Apple, hardware, software or a mobile phone.

In other news an Xbox 360 thief was caught when the original user's account automatically signed in [2]. Proving that with some effort it is possible to track and catch thieves that keep and connect Internet-capable systems. Hear that UK!

Links used:
[1] - http://www.theregister.co.uk/2009/12/14/microsoft_cofee_vs_decaf/
[2] - http://www.theregister.co.uk/2009/12/30/x_box_theft_suspect_racked_down/

Posted by Konstantinos Xynos | 3 comments | Tagged with cofee, decaf, hack, microsoft, xbox 360

GSM encryption attack lowers privacy to zero

December 29th, 2009

In Europe mobile phones use the GSM standard to communicate with the carries. Encryption was and still is used to protect the calls and special intercepting abilities are built-in to the standard to assist law-enforcement.

Early versions of GSM use a weak encryption algorithms (e.g., A5/1) that are out of date and everyone now (hopefully) should be using UMTS (3G) (i.e. USIM) which include newer and better encryption algorithms.

What Karsten Nohl [2], his team and contributors have achieved is to utilise the advances in processing power (e.g., CUDA) to pre-calculate a code book[2] that will enable real-time decoding. Obviously the attacker will have to have access to the encrypted packets. This can achieved by setting-up a fake base station.

If you are thinking of doing this in the UK you will need special licence or permission from Ofcom or face the possible consequences [3].

Once again the weaknesses are known and the fact that this type of attack has emerged just demonstrates that relying upon incomputable algorithms is not always the best option. The only way to staying ahead of the game is with new encryption implementations.

Links Used:
[1] - http://news.bbc.co.uk/2/hi/technology/8429233.stm
[2] - http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html
[3] - http://www.ofcom.org.uk/radiocomms/ifi/enforcement/illegalbroadcast/

Posted by Konstantinos Xynos | 3 comments | Tagged with code book, cracked, encryption, gsm

Interception of video feeds from US drones in Iraq

December 18th, 2009

"Shia fighters are said to have used off-the-shelf software programs such as SkyGrabber to capture the footage."[1]

Why the BBC calls this a hack [cause it sounds cool I guess] I have to idea. This is a classic interception case. Get a program (SkyGrabber in this case) and start receiving the broadcasted satellite communications. The US should not have had insecure satellite communications in the first place.

Links:
[1] Iraq insurgents 'hack into video feeds from US drones' - http://news.bbc.co.uk/2/hi/middle_east/8419147.stm

Posted by Konstantinos Xynos | 1 comment | Tagged with satellite, skygrabber, US, us

PhD Studentship

December 9th, 2009

PhD Studentship
Job Reference No. PhD FAT2
Salary: Stipend of £20,000 per year, minimum. Plus payment of enrolment fees
Closing Date: December 13, 2009
Interview Date: PM Wednesday 16/12/09
Terms: Permanent
Job Type: Support Staff
Job Class: External
Location: Treforest

Title of Research
QoS and Routing in Encrypted Networks

Programme of Research
This industry funded research project is in partnership with QinetiQ Ltd. The company is a leading international provider of technology-based services and solutions to the defence, security and related markets; and work with government organisations, predominantly in the UK and USA including defence departments, intelligence services and security agencies.

This PhD project will be an investigation of quality of service and routing implications over all encrypted networks (AEN), based on different traffic types ands structures, scenarios and use cases for use in experimentation and demonstration.

This research is to be carried out mindful of the specific security constraints in the field of traffic management. In particular, this work will involve the following work packages:

1. Requirements Analysis
2. Solution Analysis
3. Implementation
4. Exploitation and Realisation
5. Experimentation
6. Demonstration

Applications are invited, from highly motivated individuals with a good first degree in a computing related degree (2.1 or higher), for a full-time PhD position in the Faculty of Advanced Technology at the University of Glamorgan. Significant experience in a major programming language is required (C++, C#, .net), with knowledge of web services such as SOAP/REST preferred. Relevant subject expertise in computer network attack / computer network defence / QoS and relevant certifications (e.g. CHECK / CREST / TIGER) would be beneficial, but not required. The student will be required to undergo a UK government security check. The PhD position is open to UK nationals only.

Closing time and date: 12 midnight Sunday 13/12/09.
Interviews to be held pm Wednesday 16/12/09.
Applicants will be informed if they are selected for interview by email on Monday 14/12/09

How to Apply
Please submit the university postgraduate research application form http://www.glam.ac.uk/apply/156/research.

Contact details
Name: Dr. Huw Read, Prof Andrew Blyth, Dr. Iain Sutherland
Address: Faculty of Advanced Technology, University of Glamorgan, CF37 1DL
Telephone: 01443 654287
Email: isrg@glam.ac.uk

Posted at: http://inform.glam.ac.uk/jobs/details/591/

Posted by Konstantinos Xynos | 0 comments | Tagged with phd, studentship

Your data selling for $30 to $40 USD by US companies

December 7th, 2009

What do you mean you don't live in the US. Do you not use any of these companies services over the Internet?

Want an insight to what US companies do with their customer data? Check the documents data retention policies, surveillance capabilities and lawful data-interception guides posted at cryptome.org [1]. In the UK we hope that the Data Protection Act protects us to a point, but we still have to pay to see what is held about us. An expensive exercise.

Any sight of Google's policies?

[1] Cryptome.org [2] http://www.wired.com/threatlevel/2009/12/yahoo-spy-prices

Posted by Konstantinos Xynos | Tagged with cryptome, data, yahoo

MS COFEE for live comp. forensics

December 4th, 2009

It is all about the COFEE [1] that will keep you awake. In this case, ahead of the game. Microsoft's COFEE (Computer Online Forensics Evidence Extractor) [1] is out and about, making the rounds on the Internet underground (and overground, “freedom of speech” sites). This is what happens when you try to keep something secret, everyone wants it.

I understand the motives to keep it hush hush, but from what I hear the tool set is compromised of basic programs you can find on a Windows OS and at Microsoft online (old Sysinternals tool set, now part of Microsoft).

Will Anti-forensics kick in and destroy your acquisition? Well to be honest if the tools are the ones you find on a Windows OS, then any rootkit installed on the machine will feed any tool talking to the OS false data anyway. Nothing new there! Once again proving that usual computer forensics still will be required to extrapolate the information.

What about the volatile information lost after a shutdown, that has been captured by this tool set. That is why it is called volatile (it lives for a short period) and good luck in piecing things together after imaging the drive. It will provide valuable information that you would not have otherwise but how will it be proven in court is another matter altogether. It would not be a hard subject if everything was handed to you in a silver-platter-report every time.

[1] - http://wikileaks.org/wiki/Microsoft_COFEE_%28Computer_Online_Forensics_Evidence_Extractor%29_tool_and_documentation%2C_Sep_2009

Posted by Konstantinos Xynos | Tagged with analysis, cofee, comp., forensics, live

iPhone: myPhone on lock-down

November 9th, 2009

...and you thought you were the only person to have the privilege of locking your iPhones screen. Think again. Once again a stunt and proof of concept demonstrates that high tech. mobile devices can be manipulated and possibly locked down by malicious people, leaving the users at their mercy. In some cases even try to get you to part with your money. This was demonstrated with the iPhone 'Your iPhone's been hacked' stunt as reported [1] by Wired.

It appears that jailbroken iPhones have SSH and a default root password (if not changed), allowing full remote access to the phone. It is that easy. The users are lucky that the creator didn't start locking the devices as we have seen with ransomware (malware that requests ransom to decrypt data or unlock a pc).

I would not be surprised if Apple didn't try to use this problem to demonstrate to people that jailbreaking the iPhone will mean that you are taking avoidable risks and that you are not being protected to the fullest.

[1] Wired - Hacker holds Dutch iPhones for €5 ransom - http://www.wired.co.uk/news/archive/2009-11/04/hacker-holds-dutch-iphones-for-€5-ransom.aspx

Posted by Konstantinos Xynos | Tagged with access, hack, iphone, root, ssh

Python 2.6 and 3.0 compatibility

October 30th, 2009

If you will be writing any new programs in the Python programming language then check Lennart Regebro's presentation[1] and slides[2] on their compatibility issues. It is interesting to see the amount of changes they have made to make the language more robust and correct. This does mean that programs written in Python 2.x , to some extent, will be incompatible with Python 3.x so keep it in mind when deciding on which one to pick.

Links Used:
[1] Lennart Regebro's presentation - http://blip.tv/file/1949281

[2] Lennart Regebro's slides - http://liwo.polsl.pl/pycon-pl2008/materia142y/python-3-compatibility.pdf

Posted by Konstantinos Xynos | Tagged with compatibility, python

Phone tapping the VoIP way

October 22nd, 2009

VoIP stands for Voice over IP (or the Internet). It is a cheap (or free) way of contacting people around the world. The most commonly used online application is Skype. When I came across this article [http://www.theregister.co.uk/2009/08/28/skype_trojan_source_code/] I had to write about it. It is amazing what people come up with and openly [http://www.megapanzer.com/source-code/#skypetrojan] demonstrate how programs can be created to intercept a normal programs function. In this case we have the redirection of a voice call saved to an MP3, encrypted (nifty) and sent over to a server.

Now I wonder how many SME's make use of VoIP and Skype...

By the bye, I am amazed that we still get charged so high for making International calls in the UK.

Posted by Konstantinos Xynos | Tagged with skype, trojan, voip

e-Crime Wales Summit 2009

October 22nd, 2009

The e-Crime Wales 2009 Summithttp://www.ecrimewales.com/ held at Llandudno, Wales is over and a number of great speakers attended. Our own Prof. Andrew Blyth presented our findings on the installation of 15 IDS sensors in Welsh SME's around Wales. Hopefully the attendees (business owners etc) would have come into contact with a number of security professionals and brought upto date on how to protect their businesses or at least where to go from here.

The few that I did see at least, from the live feed, all pointed out the need to be aware of the security implications of using online resources and complacency should not an option, even though most people choose it. There is always one question that that needs to be answered before deciding to got (or watch the live feed) one of these events, 'What information will I walk away with?' . I think that it is a great opportunity to be exposed to the horror stories that the speakers have to offer through their experience and you can always pickup and relate to them at some point or hope not to.

Check out the twitter feed here [http://twitter.com/ecrimewales] with some questions and answers and a general overview of the speakers key points.

A picture of Prof. Andrew Blyth, Ed Gibson & Chris Corcoran http://bit.ly/3drSUL

A great service provided by SpamHaus are the advisory lists they provide (i.e., Spamhaus Block List, Exploits Block List and Policy Block List ). Check them out at http://www.spamhaus.org/.

e-Crime Wales also have a blog at http://ecrimewales.posterous.com/

Update (@11:20): We got a mention in the Welsh Daily Post: "E-crime costs Welsh companies hundreds of millions of pounds annually" - Oct 22 2009 - Daily Post - http://www.dailypost.co.uk/business-news/business-news/2009/10/22/e-crime-costs-welsh-companies-hundreds-of-millions-of-pounds-annually-55578-24989506/

Posted by Konstantinos Xynos | Tagged with 2009, blyth, ecrime, spamhaus, Wales, wales

AccessData Corp Youtube Channel

October 20th, 2009

It seems that towards the end of the summer AccessData Training Team has started to post videos of how to do certain things with FTK 3 on youtube ( http://www.youtube.com/profile?user=AccessDataCorp#g/u ).

Of interest :

FTK 3 Computer Forensics: Mac Analysis : http://www.youtube.com/watch?v=P2DCxtMqQyw
Showing you the developments in support of the Mac OS X files and HFS+ format and extended attributes (very useful!!! check http://www.youtube.com/watch?v=P2DCxtMqQyw#t=4m23s). It also demonstrates where to find the Mac user's password shadow file and password has and then use PRTK to attack the hash value. EXIF data for photos, etc are supported now too.

FTK 3 Computer Forensics: Field Mode : http://www.youtube.com/watch?v=mSHsn22YxeY&feature=channel
Demonstrating on the fly analysis without doing the initial lengthly analysis, at least when not needed.

Links used:

AccessData youtube channel - http://www.youtube.com/profile?user=AccessDataCorp#g/u
FTK 3 Computer Forensics: Mac Analysis - http://www.youtube.com/watch?v=P2DCxtMqQyw

FTK 3 Computer Forensics: Field Mode - http://www.youtube.com/watch?v=mSHsn22YxeY&feature=channel

FTK 3 Computer Forensics: Mac Analysis: Attributes B-tree @ 4m23s - http://www.youtube.com/watch?v=P2DCxtMqQyw#t=4m23s

Posted by Konstantinos Xynos | Tagged with accessdata, computer, forensics, ftk

Graphviz, Python and Tkinter

September 16th, 2009

When creating a specific program that does one thing it is sometimes useful to provide a generic solution and build upon those foundations. This is what I present in todays posting, what I call graphing[1] .

Graphviz [2] is a great tool that allows you to create diagrams and flow-charts and almost any type of graph. I wont go into the details about Graphviz as this is not a tutorial, the site has more details.

What I have done is create a parser that converts a .gv file (e.g., [3, 4]) into a dot file (through the dot package) and then this is read to create the layout on a Tkinter Canvas in Python. The advantage to this is that you can add your own code and make these items interactive (e.g. mouse interactive, etc). You will need to install at least dot which is part of Graphviz[2].

Dependencies:
Graphviz (dot is needed)
Tkinter part of Python

Links Used:
[1] graphing by Konstantinos Xynos (2008) - http://www.comp.glam.ac.uk/staff/kxynos/dot_parser2Tk.zip
[2] Graphviz - http://www.graphviz.org/
[3] Example: Finite Automaton - http://www.graphviz.org/Gallery/directed/fsm.html
[4] Example: Finite Automaton gv file - http://www.graphviz.org/Gallery/directed/fsm.gv.txt

Posted by Konstantinos Xynos | 1 comment | Tagged with graphviz, python, tk

Snort Rules checked by dumbpig

September 10th, 2009

Writing custom Snort rules and what to check if they are correct? ..up to a certain point.
Well dumbpig [1] by Leon Ward is what you are after. For a good example check out VRT Sourcefire's blog entry [2].

...while you are at it have a look at Snoge [3] "Take your Snort or Sourcefire IPS events and place them onto Google Earth.".

Links Used:
[1] - dumbpig - http://leonward.wordpress.com/dumbpig/
[2] - Syntax Checking your Snort Rules - http://vrt-sourcefire.blogspot.com/2009/08/syntax-checking-your-snort-rules.html
[3] - snoge - http://code.google.com/p/snoge/

Posted by Konstantinos Xynos | Tagged with checking, dumbpig, rules, snoge, snort

Blue Screen your shinny Windows Vista/7 box

September 9th, 2009

An exploit is making the rounds that affects Windows Vista and 7 which have SMB (i.e., SAMBA or file sharing) enabled. The researcher, after a small change in the SMB Header has managed to crash the SRV2.SYS DLL which fails to handle malformed SMB headers[1].

"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"

Solution:
As of now: Funny enough disable file sharing if and when not needed, or implement a rule to block SMB ports.

Links Used:
[1] - Full Disclosure: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. - http://seclists.org/fulldisclosure/2009/Sep/0039.html

Posted by Konstantinos Xynos | 1 comment | Tagged with 7, exploit, vista, windows

Atom Feeds

Entries
Comments

RSS Feeds