- Dailydave - mm4.emwd.com

Deana Shick on INFILTRATE ONLINE
by Dave Aitel 30 Oct '20

30 Oct '20

Happy Friday! For those of you who enjoy laughing at my video editing job or want to learn about how big companies do vulnerability management "at scale" or what the alternatives are to CVSS, we've recently published a new fifteen minute video: https://vimeo.com/473562240 . -dave

1 0

Things to Watch!
by Dave Aitel 19 Oct '20

19 Oct '20

It's MONDAY, and I wanted to send over the shorts we did with Chris Eng and Ben Edwards. I think there's a lot of value in a robust question and answer session with paper authors. Too often papers are supposed to stand on their own without any real discussion. (PHP IS DOUBLE PLUS UNGOOD) https://vimeo.com/457850389/373c907909 (CVSS, an INTRODUCTION TO FAIL) https://vimeo.com/454453494/330060fbb2 (XXE) https://vimeo.com/464273744 Right now I'm editing the next in the series, which I think you will like, which is a more in-depth discussion on vulnerabilities and prioritization and dinosaurs. -dave

1 0

Identity + Host
by Dave Aitel 21 Sep '20

21 Sep '20

Recently Thomas Dullien wrote a blogpost <http://addxorrol.blogspot.com/2020/07/the-missing-os.html> asking what the OS of the future really looks like, considering the computer of the future is a distributed mega-engine. I would, annoyingly, posit that the algorithms that make sense to understand in that world are those already implemented in the many species of social insects. In that sense, I think there are things missing from his list of the basics of what a datacenter computer contains. At some level, I think the right set of algorithmic support will undergo phase changes as you scale up, but still be viable at small scales: (see this new paper for a detailed example: https://www.biorxiv.org/content/10.1101/2020.08.20.259614v1) I will include Thomas's list below: - Some form of cluster-wide file system. - A horizontally scalable key-value store. - A distributed consistent key-value store. - Some sort of pub/sub message queuing system. - A job scheduler / container orchestrator. I would say some level of ID is missing - large-colony ants have Caste systems for a reason. I think people in general ignore ID because maybe you can make ID and security a micro-service on top of a pub/sub message queuing system? I'm not sure. But in general, the same thing is true for most security analysis systems sold today - they see an infection, they treat a computer/network as infected and respond appropriately. At Immunity/AppGate we've been trying to go the other direction - tying your security directly to your identity. AppGate SDP already does this for network services, but we've also expanded upon that by using a graph database, INNUENDO Agent, a custom Windows Kernel module, and a lot of other excitement to build automated response that looks at your ID as much as it does your computer: CONSTELLATION + AppGate SDP (3m) https://vimeo.com/431931225/add11f4230 CONSTELLATION vs. Ransomware (9m) https://vimeo.com/421712679/d4a1918354 CONSTELLATION vs. Robbinhood (11m) https://vimeo.com/417796331/bb0426f9fb -dave

1 0

R2 Browser Hacking Class Review
by Dave Aitel 13 Aug '20

13 Aug '20

Sometimes we review books on this list, but I spent last week, for seven days in a row, taking the R2-RingZer0-Amy-Burnett Browser Hacking <https://ringzer0.training/advanced-browser-exploitation.html> class. But before I do, I want to point out that 36 Minutes into this video ( https://vimeo.com/442583799) I ask Marco Ivaldi about what it's like to switch from management back into the technical field. "It's hard, but it's very rewarding." Here's my one top tip for making remote classes easier as a student: TURN YOUR FREAKING CAMERA ON. This forces you to pay attention to the trainer. Also: trainers do better when they can see if you are picking up the material. I like the remote format better in many ways than the in-person format. I like seeing everyone else's questions in the Discord. I like being able to take a big break during the day to get food and then come back to the exercises later and get real-time answers to my questions by Amy typing things up on her cellular phone at the local Troy bar. I like continuing to have lungs complete with working alveoli. Also, the Browser Hacking class is effective. Everyone in the class (I was quite nervous since I didn't even know Javascript and last wrote an exploit in 1992AD) can write Chrome and Webkit exploits now. This is a useful feature. Obviously the first half of the class is "This is the giant optimized data structure they invented to allow people to check Gmail super fast" and the second half is "this is what those bug-classes look like in source code, and how you build your exploit primitives and plug them together". I guess my summary is this: Great class. It is well worth the money just to feel the dragon inside you wake up and swallow something whole again. -dave (List Note: I have turned off bounce processing, since it was misfiring and kicking people off the list for no reason.)

1 0

Dino-VSS
by Dave Aitel 10 Aug '20

10 Aug '20

[image: image.png] Bistahieversor or MS08-067? If you had to list out the problems with CVSS it would be like analyzing the anatomical issues of a children's drawing. No part of it fits together properly. Here's a problem: Scoring of threats is not one dimensional, and numbers can't carry the whole story. We need a vulnerability scoring system that's extensible, and programable. But I have an alternative: Take each vulnerability attribute and assign it to a dinosaur part! Is it a client-side? Then it's got legs! Does it need user interaction? Then short stumpy legs. Is it a true remote against a service? Then it's got wings. Is it a root bug? Then it has a big mouth? User-level access? Duckbill. That way, the attributes of the vulnerability reflect themselves as a literal model - a denizen of your Cretatous nightmares. But it rings true - getting attacked by five hundred pre-auth XSS bugs in your web front-end is exactly like getting attacked by a horde of ducks. And of course, vulnerabilities can combine - a LPE + a remote user-level XSS + sandbox escape has legs and teeth. Modeling is better than scoring in every way. Maybe your network is a Animantarx <https://en.wikipedia.org/wiki/Animantarx>, a living citadel, but more likely you're a Diplodocus, a big bag of walking meat getting nibbled to death by ducks. -dave

1 0

WAF Metrics
by Dave Aitel 17 Jul '20

17 Jul '20

So I'm making a video on metrics, of all things, and I wanted to post both this question <https://twitter.com/daveaitel/status/1281629327776522242?s=20>and the best answer so far to the list to see if anyone had any other ideas or followups. -dave [image: image.png] [image: image.png]

7 9

WAFs: HTTP Desynchronization as a Metric
by Dave Aitel 13 Jul '20

13 Jul '20

So one thing people don't have any scope of measuring - (maybe as a set diagram finite states?) - is the difference between two parsers for the same protocol. Ten years ago a lot of the security community had a discussion about "LangSec <http://langsec.org/>" which turns out to have been entirely correct in retrospect. NCCGroup's recently released analysis of the F5 bug is a key example of this principle in action: https://research.nccgroup.com/2020/07/12/understanding-the-root-cause-of-f5… Most people look at HTTP Desync as simply using Content-Length confusion - figuring out ways to make one request look like it's not the same length, and using that for SSRF or XSS or various other attacks. But *ANY DIFFERENCE IN THE PARSERS* leads to critical level attacks. Of course, what this means is that you need to have different emulated parsers for each web server behind you depending on if they are Apache/IIS/NGinx . . . -dave

1 0

Brad gets real!
by Dave Aitel 07 Jul '20

07 Jul '20

https://www.youtube.com/watch?v=F_Kza6fdkSU So I wanted to highlight this talk from Brad Spengler about the state of Linux security. It's a damning report if you read even a little bit between the lines. And on many levels. As Halvar points out, Android deliberately avoided investing what they knew they needed to invest in platform security in the effort to gather significant early market share, even knowing it would harm their user-base in a multitude of ways. And this kind of philosophical trade off taken by companies filters into the Linux security ecosystem, creating Ogres of various sorts, like Calamity Gannon's corruption of various parts of Hyrule. For example, phones often run on an older Linux kernel, which means there is economic incentive to backport features and security fixes to those kernels, or pretend you can. Likewise, much of the effort of the Linux security community is focused on KASLR, which Brad points out, is largely a waste of time. He also talks about Syzkiller, automated exploit generation, and a host of other things. Well worth a listen! -dave

3 4

Data
by Dave Aitel 18 Jun '20

18 Jun '20

I wanted to highlight something that I find funny did not make a much bigger impact: DARPA's release of former INFILTRATE keynoter Bill Arbaugh's dataset of endpoint behavioral data. See here for more information: https://twitter.com/williamarbaugh/status/1273421101469753344?s=20 How else are you supposed to test if your Endpoint Protection DEEEEEEP LEARNING works or does not work, as advertised? My only complaints are: This is not as much data as I would want. You really do want at least a couple months of data. Everyone annoy DARPA about that. :) I don't speak for Immunity anymore, but it IS good to see those who do speak for Trail of Bits making themselves heard: https://blog.trailofbits.com/2020/06/17/advocating-for-change/ -dave

1 0

Code (library) economics
by Konrads Smelkovs 16 Jun '20

16 Jun '20

When I want to code something from scratch, I will often look for libraries that help me achieve it best regardless of language they are written - for common situations Python has a good ecosystem (but web interfaces don't look so great there anymore), if it's enterprise-y, most likely Java (which I'll use via Jython if I can help it), if it's Windows-ish - C# with WinApi calls. Weirdly RubyDNS/EventMachine is good for quick DNS shenanigans. I do this because I don't have an infinite amount of time to re-implement something in my *langage du jour*. Same holds true for people moving code for hacking operations. If an operator wants to search for specific data on a computer, I'm probably best off using Windows Search API and the easiest way to invoke it is via PowerShell <https://gist.github.com/arebee/1928da03047aee4167fabee0f501c72d> - about 20 lines of code seems to do it. I looked at my code for selectively exfiltrating Outlook mailbox contents and discovered it was a bit of OLE Interop code (again - PowerShell, but I concede that C# would be pretty close line-wise). We could of course bring OpenDLP package or ntfs raw copy the entire .ost, but that seems to be heavyweight. A parallel exists for EDRs as well - EDRs like to rely on cool Win8.1+ features and tell customers to upgrade their XP/7 and Win2k3 boxes or not have latest features - they don't want to re-implement same stuff 3 times and could you please have our .NET to 4+ kthx bye. (this is also why network traffic recorders are useful). You can see right now the fad for POC implants has moved away from C to C# to Golang, because all of this makes programmers more productive. as you're paid for operations not tool fetish, why write it in C? Sometimes doing stuff in non-C is harder. Over the last 2 months there's been an explosion of API unhooking articles thanks to great work by F-Secure (ex MWR) <https://labs.f-secure.com/blog/bypassing-windows-defender-runtime-scanning/> and so to keep up with the Joneses any decent toolkit needs now the ability to manipulate loaded libraries which perhaps excludes some choice of languages (I'm not quite sure how to achieve this in PS). Other code economics matter as well. When you're in shellcode territory, the crawl space is small. Once you're in "bootstrap" territory, you have more space (e.g. your Office macro that downloads the kit can be fairly meaty) and you have options to hunt for eggs (e.g. retrieve a hidden attachment from Outlook in which your macro came in). Once you're in the "I can run an exe/dll here" territory, 20 megs is nothing. In one report I read, hackers downloaded and installed VirtualBox to run their toolkit. I think Dave's INNUENDO ran to 40 megs. Once they were done, it was a matter of shutting down the encrypted VM - good luck with forensics. <retransmission> -- Konrads Smelkovs Applied IT sorcery.

1 0

2025

2024

2023

2022

2021

2020

Dailydave