tag:blogger.com,1999:blog-23737596102795459862024-03-20T09:01:15.600+02:00I, HackerGal Diskin's rants, comments and thoughts on hacking, information security, AI, Deep Learning, RL, NLP, Blockchain, FinTech, Math, Science, Quantum Computing and anything else I feel like putting hereGal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-2373759610279545986.post-77466129066063010542019-06-19T16:41:00.001+03:002019-06-19T16:41:24.315+03:00The First Facebook Libra Blockchain ExplorerAs I was playing with the new <a href="https://libra.org/" target="_blank">Libra blockchain</a> released by Facebook and friends yesterday I realized that there is no blockchain explorer available for Libra so I created one:<div style="text-align: center;">
<a href="https://librabrowser.io/"><span style="font-size: x-large;">https://librabrowser.io</span></a></div>
<div style="text-align: left;">
Currently it is slow, ugly, unstable and functionality is limited to viewing the latest TX or a specific account but it works and is useful to the <a href="https://developers.libra.org/" target="_blank">developer community</a>. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I might add more features later if I feel like it. If you want to encourage me please send some testnet tokens to the account that shows in the browser or leave a comment here.</div>
<div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com0tag:blogger.com,1999:blog-2373759610279545986.post-36945484228666706712019-05-10T16:15:00.001+03:002019-05-11T11:10:29.966+03:00Adventures in WhatsApp DB — extracting messages from backups (with code examples)Just a random piece I wrote on Medium describing the extraction process of conversations from WhatsApp and the analysis I did to do it. Just because I couldn't find free stuff about how to do this and <b><i>every annoying free tool out there wants your credentials and full access to your data.</i></b><br />
<br />
<span style="font-size: large;"><a href="https://medium.com/@1522933668924/extracting-whatsapp-messages-from-backups-with-code-examples-49186de94ab4?source=friends_link&sk=0126a0b4d88cf7e24f33b1631f2722b5" target="_blank">Medium post</a> </span><span style="font-size: x-small;">(paywall free link)</span><br />
<a href="https://github.com/Disk1n/WhatsApp_Sqlite_Reader" target="_blank"><span style="font-size: large;">GitHub Repo</span></a><br />
<br />
I might post some more random stuff soon. Or not...<div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com0tag:blogger.com,1999:blog-2373759610279545986.post-84778415604463542212013-10-14T11:25:00.001+03:002013-10-14T11:25:22.289+03:00Virtually Impossible @ ZeroNights & A PatchGuard Analysis on the company blogHi All,<br />
I wanted to share two updates:<br />
<ul>
<li>I will be presenting a talk called "<a href="http://2013.zeronights.org/program#diskin" target="_blank">Virtually Impossible: The Reality of Virtualization Security</a>" on the basic issues with virtualization security in <a href="http://2013.zeronights.org/" target="_blank">ZeroNights</a> conference in November. Hope to see you there.</li>
<li>Last week I released a post on <a href="http://cyvera.com/a-brief-analysis-of-microsoft-patchguard-msr-protection/" target="_blank">Windows PatchGuard MSR protection</a> in the <a href="http://www.cyvera.com/blog" target="_blank">official Cyvera blog</a>. Preview image from the post below, follow the link for more details.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKgGVB-v7asor7ZnNOmgNVVtumstmZYbutdY8XKMjKJo53quGRINYOSRnY41xROiI_gdT-GPc-l9KipVOHdnFO1iA5W7YJt_5mhfsmBMMgOgznOc_ajHjMzvk3geFkfGuH2KM0OMYx_6M/s1600/PatchGuardPost1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKgGVB-v7asor7ZnNOmgNVVtumstmZYbutdY8XKMjKJo53quGRINYOSRnY41xROiI_gdT-GPc-l9KipVOHdnFO1iA5W7YJt_5mhfsmBMMgOgznOc_ajHjMzvk3geFkfGuH2KM0OMYx_6M/s320/PatchGuardPost1.png" width="320" /></a></div>
</li>
</ul>
<div>
That's it for now...</div>
<div>
G.D</div>
<div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com2tag:blogger.com,1999:blog-2373759610279545986.post-89347911211005061772012-06-11T19:33:00.000+03:002012-06-11T19:33:14.392+03:00Practical considerations implementing fuzzing acceleration via checkpointingHi all,<br />
After giving my presentation in HITB I was fortunate to talk to some of the people that attended it and also some that contacted me via email afterwards. One of the most frequent questions I got was "how practical is it to implement a fuzzing acceleration framework?". Following up on that I decided to write a short post on the practical considerations of implementing an accelerated fuzzing framework by using DBI.<br />
Some of the material in this post is based on one such Q&A discussion that I had with Peter Van Eeckhoutte (<a href="https://twitter.com/corelanc0d3r" target="_blank">@corelanc0d3r</a>) and published with his gracious permission.<br />
<br />
<br />
<h4>
<br /></h4>
<h4 style="color: lime;">
<u><b>Introduction to fuzzing acceleration via checkpointing</b></u></h4>
This section is aiming to provide a quick introduction to the subject. If you're familiar you can jump to the next section - practical implementation considerations.<br />
If you're unfamiliar the concept of fuzzing acceleration via checkpointing and restoration the following slide from my HITB Amsterdam presentation provides an overview:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2ERgv2fdT-hA-qKUf4iIcCdGeVpaRbq0WzuMmSV2DxH3_GPcfDIvAn8pOBwl2DssQger3s4TCpkEoLDVi6U0b4z_whb0HVq-WKM7qaeprsoH3FLEmiHAo3B6s8XlbetLTXxrjy8Furso/s1600/accelerated+fuzzing+slide+for+blog.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2ERgv2fdT-hA-qKUf4iIcCdGeVpaRbq0WzuMmSV2DxH3_GPcfDIvAn8pOBwl2DssQger3s4TCpkEoLDVi6U0b4z_whb0HVq-WKM7qaeprsoH3FLEmiHAo3B6s8XlbetLTXxrjy8Furso/s1600/accelerated+fuzzing+slide+for+blog.png" /></a></div>
<br />
<br />
<br />
<a name='more'></a>You can also find a very simple example I wrote <a href="https://docs.google.com/viewer?pid=explorer&srcid=0B7dCwoxC3buLMWE5ZGU3MzEtOGJiMy00ZDAyLTk1NDUtNGQ0ZDJlNGRmMWIx&docid=879abe701de0d8a74dfcdbf464be375f%7Cdaae4f4b7fda29bb7c40e1c00a042c10&chan=EQAAALeHR6d6KDEYVgXicAjbcANr7DJZHOuT4SEUAHPslpZt&a=v&rel=zip;z7;InMemoryFuzz.cpp" target="_blank">here</a>. This example does <u>not</u> restore the memory but only the CPU context and is meant to be run on <a href="https://docs.google.com/viewer?pid=explorer&srcid=0B7dCwoxC3buLMWE5ZGU3MzEtOGJiMy00ZDAyLTk1NDUtNGQ0ZDJlNGRmMWIx&docid=879abe701de0d8a74dfcdbf464be375f%7Cdaae4f4b7fda29bb7c40e1c00a042c10&chan=EQAAALeHR6d6KDEYVgXicAjbcANr7DJZHOuT4SEUAHPslpZt&a=v&rel=zip;z22;VulnEx5.c" target="_blank">this</a> specific program. However, it still shows the very basics of creating a checkpoint and restoring it using PIN. Pay attention to the use of <b>PIN_ExecuteAt</b> and <b>PIN_SaveContext</b> for the creation and then restoration of the checkpoint. Note that these two APIs only save the CPU context and not any other part of the program context.<br />
<br />
<br />
<br />
<h4 style="color: lime;">
<u><b>Practical implementation considerations</b></u></h4>
Well, that's it for the intro. Time to get down to business. The following notes are meant to highlight potential performance savings and pitfalls. The scenario discussed here is a program that reads some input file and we want to fuzz this file input.<br />
<br />
<div style="color: lime;">
<b>What memory to save / restore?</b></div>
Normally, you don't know exactly what memory areas will require saving and restoring. If you do - lucky you. Implementing a save and restore for a known memory area or data structure is not something I need to explain. If not you still have several choices:<br />
<ol>
<li>Collect the information on the relevant memory areas via memory access tracing. You can find an example tool that does memory tracing included in the PIN kit. After you run several representative workloads you should have a pretty good understanding of what memory areas you need to save and restore.</li>
<li>Use the memory tracing approach in real-time (slower but more accurate). i.e. save all the addresses modified between the save point and the restore point and just restore those to their original values.</li>
<li>Just save and restore all writable program memory - this is not recommended for programs using more than a few MB of memory.</li>
</ol>
<br />
Please note that there will usually be some memory areas that you can ignore restoring because those will be overwritten by the next file you load.<br />
<br />
A final note on saving and restoring - due to performance considerations you should strive to save a copy in RAM rather than saving anything to disk.<br />
<br />
<br />
<ul>
</ul>
<b style="color: lime;">Target file</b><br />
A common pitfall many tend to use is to actually rename a fuzz file on disk to the name that the program was instructed to load. That is not advised. Disk access is far more costly in performance compared to RAM access. Therefore I recommend changing the file name string held in memory by the program you're fuzzing. There are two main options:<br />
<ol>
<li>Modifying the string in place - the problem with this approach is that due to memory constraints you'll have to stay with file names of the same length or shorter</li>
<li>Modifying the pointer to the string - changing that pointer to point to a string allocated from your pintool.</li>
</ol>
<br />
<br />
<b><span style="color: lime;">System Resources and the choice of Restore Point</span></b><br />
The consumption of system resources is one of the biggest problems you'll face when fuzzing like this. That depends greatly on your choice of where to locate your restore point. For example say you are fuzzing MS-Word. A restore point chosen after you close the file should not require any freeing of resources to be done by you (that is because MS-Word is supposed to handle this automatically). On the other hand, if you choose to restore immediately after completing the load of the file because the actual unload is not of interest for your fuzzing project then the responsibility to free the system resources falls on you.<br />
<br />
Some types resources you might want to monitor and free before going back to a checkpoint:<br />
<ol>
<li>memory allocations</li>
<li>file handles</li>
<li>any other handle / system resource claimed</li>
</ol>
It is fairly easy to just hook the allocation functions for those resources and save the details then free those once before we restore to our checkpoint.<br />
<br />
I highly recommend considering your restore point carefully and considering the option that you missed freeing some resource when debugging the first couple of crashes you get from this. <br />
<br />
<br />
<b style="color: lime;">Random notes</b><br />
<ol>
<li>Bug chaining is a high possibility using this technique so verify several test cases back if you get a result which doesn’t repeat without PIN. </li>
<li>It might be that in some cases you need to save less than all the context (my example saves all context). It is possible to do so to save overhead and then just modify IP using the proper PIN API.</li>
<li>The first test cases will appear slow, that is to be expected and because of JITing. If you stop the fuzzing and restart it you have to pay the JITing overhead again.</li>
<li>If you see major slowness post the early test cases consider modifying the PIN code cache size parameters (look in the command line)</li>
<li>Don’t forget to log things like the current fuzz file name to somewhere outside the process you're fuzzing. If you use a log file make sure to flush it. While it seems trivial it is very easy to miss a test case like this.</li>
</ol>
<br />
<br />
Well, that's it for today. If you have practical questions or comments feel free to leave those.<br />
<br />
I hope you enjoyed this post,<br />
--<br />
G.D<br />
<a href="https://twitter.com/gal_diskin" target="_blank">@gal_diskin</a><div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com3tag:blogger.com,1999:blog-2373759610279545986.post-49507924920294817742012-06-01T16:05:00.000+03:002012-06-01T16:05:30.120+03:00HITB Amsterdam 2012 MaterialsHi All!<br />
HITB Amsterdam was an awesome conference. I hope you enjoyed it as much as I did. Thanks to all the organizers - you did an awesome job! Also thanks to everyone that attended my presentation you were a great audience, albeit sometimes quiet (shocked?!). :-)<br />
<br />
Following HITB I wanted to make sure all of you know where to get the materials if you need those. The presentation is <a href="http://conference.hitb.org/hitbsecconf2012ams/materials/D1T3%20-%20Gal%20Diskin%20-%20Hacking%20Using%20Dynamic%20Binary%20Instrumentation.pdf">here</a>, the source code for the pintool examples can be found <a href="https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B7dCwoxC3buLMWE5ZGU3MzEtOGJiMy00ZDAyLTk1NDUtNGQ0ZDJlNGRmMWIx&hl=en_US">here</a>. If you are looking for more explanations of each of the code samples see <a href="http://www.diskin.org/2011/08/post-vegas-post-blackhat-def-con.html">this post</a>. <br />
<br />
Recently I've had a lot of discussions with people that attended the presentation in Amsterdam and with others regarding check-pointing techniques. Mostly for the sake of using check-pointing to perform high speed fuzzing but for various other usages as well. Since this seems like a topic that interests many people I've decided to write a blog post to detail some of the practical considerations implementing such systems. Look forward to this post soon.<br />
If you'd like to request a post on a specific topic feel free to let me know what it is, though I make no promises...<br />
<br />
Cheers!<br />
G.D<br />
<br /><br /><div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com0tag:blogger.com,1999:blog-2373759610279545986.post-65555415357594583162012-05-23T03:43:00.000+03:002012-05-23T03:43:09.636+03:00Rebirth / Getting ready to HITB Amsterdam 2012Hi all,<br />
After a long period of not posting I'm finally back. A lot has happened in this period but most importantly I got married to my gorgeous wife Sonia. Due to the marriage preparations and some changes at work I didn't spare much time for personal research and publications. I currently have about five incomplete research projects. I am not going to make promises that I might not keep but I definitely plan to resume writing here and publishing new research in conferences.<br />
<br />
I'll be giving a special edition of my instrumentation workshop in HITB Amsterdam on 24/May (known as a lab session in HITB speak). After learning a lot from the previous times I presented about instrumentation and improving my material I seriously believe that this will be the best edition ever. My only regret was that I had to cut down a lot of material due to the two hour presentation time. Normally people have trouble creating enough material for a two hour presentation so I guess I should count myself lucky. I've got a lot of goodness I want to put in and not enough time to talk about everything and show the demos.<br />
Even so there is some awesome stuff included: automated vulnerability detection & prevention, fuzzing acceleration techniques, program visualization (good for anomaly detection and similarity detection), covert debugging (practically a built-in feature in PIN) and an introduction automated exploitation.<br />
<br />
If you're interested in automated exploitation look forward to my next conference talk, possibly in hack.lu (if I'm ready by then).<b> </b><br />
<br />
<b>If you're attending HITB Amsterdam 2012 I hope you'll come listen. </b>If not you're welcome to say "hi" (or share a beer) anytime - I'll be happy to meet anyone that reads what I write here.<br />
<br />
Cheers,<br />
Gal Diskin<div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com0tag:blogger.com,1999:blog-2373759610279545986.post-62080563012619611392011-08-13T02:16:00.000+03:002011-08-13T02:16:30.582+03:00Post Vegas Post - BlackHat / DEF CON Workshop Materials, Notes and Some MessHi All,<br />
I've finally solved some internet access problems and can upload the materials I wrote for my BH and DEF CON workshops. For those in a hurry the materials are here: [<a href="https://docs.google.com/leaf?id=0B7dCwoxC3buLMTRlZGFiYmUtYThkZS00ODZhLWFjNjgtMDAwZmJmODkxOGYx&hl=en_US">presentation</a>] [<a href="https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B7dCwoxC3buLMWE5ZGU3MzEtOGJiMy00ZDAyLTk1NDUtNGQ0ZDJlNGRmMWIx&hl=en_US">code examples</a>]. If you want to catch me giving this workshop (in a somewhat modified version) come hear me in <a href="http://hack.lu/">hack.lu</a>.<br />
BH & DC this year were great - great parties (except MS that initially didn't want to let me in until after the party started and I made other plans :P), some good talks and (re)meeting great people.<br />
Thanks again to everyone that came to listen to me.<br />
<br />
<b><u>Some notes regarding these materials: </u></b><br />
<ul><li>Please note that the presentation was not written with offline reading in mind so it might make a hard read in some places. Questions are welcome in the comments.</li>
<li>The Defcon presentation is mostly a variant of the BlackHat one (or vice versa) which is why I did not include both.</li>
<li>The examples might be included in the official Pin distribution some day. For now I'm going to start a page on this website to preserve these materials. If you have any submissions of updates, fixes or additional examples you want included send those to me. notifications of updates will be published via twitter. </li>
<li>Since I was lazy and intended to control the length of my presentations by deciding what to include in the demos on the fly the details of the demos / examples mostly do not appear in the presentation itself. That is why I've included notes about the demos and examples below. Please note the examples were written with educational purposes in mind and not </li>
<li>The end of the presentation contains a ton of references to all sorts of DBI usages for security or whitepapers on the subject - highly recommended read for those interested in the field.</li>
</ul><b><u>Examples and demos:</u></b><br />
<ul><li><b>Exploiter1</b> - An example of automated exploit development for classic stack buffer overflows and assuming no DEP and ASLR. If you had it 5-7 years ago you could write a worm that would actually "multiply" and learn new attack vectors as it goes along (muhahaha :D). I'm intentionally releasing this degenerate version so as not to provide people that couldn't write this code alone with the ability. If you're interested in full capabilities along these lines - contact me privately, I'm considering it. I might write a longer blog post on this subject (if I ever get time to write).</li>
<li><b>InMemFuzz </b>- An example of in memory fuzzing and of using checkpointing to accelerate fuzzing. please note the checkpointing part only covers registers. One of the exercises in the Defcon workshop was to complete it. Again, a blog post on this will be added to the fuzzing series if / when I have time.</li>
<li><b>RetAddrProtect </b>- An implementation of "shadow stack" method to defend against return address overwrites in your program. I originally invented this method for some job back in early 2004 unknowing that the term "shadow stack" existed I called it "protection stack" and only very recently discovered the proper name for it which is why, since I'm lazy, the tool still calls it "protection stack". See the work from Caro'11 by MS guys on the matter (link in the presentation).</li>
<li><b>Taint 1-3 -</b> Examples of basic taint analyzers. These are simple examples that only handle the propagation of taint through the MOV class of instructions. The first outputs some of the dataflow, the second improves the log to show only taint flow and the third adds tracking of the taint source.</li>
<ul><li><b>Taint_vis_2D</b> - is a script that is meant to show how a very simple (practically dumb) visualization of taint is still very useful to us compared to reading log files. Read the source to understand how it works.</li>
</ul><li><b>Program data-flow visualization </b>- Two examples of memory visualizations are included in the kit. Those are meant for working with a recording of all memory accesses generated by the "pinatrace" (memory access trace) example from the official Pin kit. When executed on the log file generated by pinatrace these tools generate a 3D view of the program memory accesses that allows us to analyze the program visually. For example, it is fairly easy to identify loops and extrapolate potential usages of those loops. To understand the information generated: one axis represents the address, the second represents the PC location at the time of the memory access and the third axis represents the order of the operations. Blue means a read, red means a write. You can navigate through the visualizations using the mouse (zoom in/out and rotate). Again, if you're interested in advanced taint / data-flow visualization capabilities I'm open to discussion privately. See example images below.</li>
<li><b>Anti Debug </b>- the first anti debug example is meant to show that Pin will not trip this anti-debug protection while using a debugger would. The second is meant to show that the transparent debug feature in Pin allows you to debug ignoring Anti-Debug techniques. Please note that the first example will trip the debugger under the transparent debugger - if you want transparent debugging to work on it you need to write a pintool (which was meant as education / exercise).</li>
<li><b>Double Free </b>- An example of how to detect potential double free cases. Some might say that it is less relevant due to the fact that is a fairly easy task using static analysis and modern libc protections however, sometimes you don't have the luxury of having access to the source code or you work on legacy systems where it becomes relevant. In addition, vulns like the OpenSSH double-free race condition vulnerability would not normally be caught by a static analyzer looking for double free.</li>
<li><b>Malloc Fault injection</b> - this simple PinTool does exactly what the name suggests. It injects malloc failures into the program at a random interval. For our case I set the frequency to be very high (every ~100 calls to malloc) it is interesting to note that the Linux loader and libc initializations usually fail intelligbly with a reasonable message. </li>
<li><b>VulnEx# </b>- these are vulnerable code examples to run the tools on - each example purpose is documented.</li>
</ul><u><b>Pretty Pictures:</b></u><br />
Here are some pictures of visualizations with a small explanation on how to read those. these are based on the very early work of the OS loader in Linux while starting to execute "ls". If you're looking for why I choose this specifically the answer is "because" or in detail - because it fit me at that specific moment (yeah, I'm lazy).<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinCc9f3sGPi1W2tHWYqqnfZmmhLTMn0CTdoJmSXzXP4ZAfmP_oyY2v7DfPIF4sc8jM_D9zr_zzAC7MtzuE4EKHEopuxOPSKhfbGx969MrfbOFa6tc-nlPEXhZPt6kkDvmbiM9qkDx8mTs/s1600/sample_visualization1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="569" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinCc9f3sGPi1W2tHWYqqnfZmmhLTMn0CTdoJmSXzXP4ZAfmP_oyY2v7DfPIF4sc8jM_D9zr_zzAC7MtzuE4EKHEopuxOPSKhfbGx969MrfbOFa6tc-nlPEXhZPt6kkDvmbiM9qkDx8mTs/s640/sample_visualization1.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Notice the series of memory read-writes a little up and to the right from the center - this is a loop, almost certainly with a counter. since no other memory writes are visible most probably this is a search loop or a loop related to register calculation</td></tr>
</tbody></table><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR-MQumjD-_IG34VK3iwpErMVNEvVdzfzM5TSH5DTdn_OHqtv67xUkHu-MZFzIvZSHapWh27B1qdx83x6U4RKJ314mA8Z1DZWw3qurdkBcW3Vb6JDLTKfQ1JpKcUOcBAOft2CP_F2b_7U/s1600/sample_visualization4.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="442" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR-MQumjD-_IG34VK3iwpErMVNEvVdzfzM5TSH5DTdn_OHqtv67xUkHu-MZFzIvZSHapWh27B1qdx83x6U4RKJ314mA8Z1DZWw3qurdkBcW3Vb6JDLTKfQ1JpKcUOcBAOft2CP_F2b_7U/s640/sample_visualization4.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Same loop as before, now a little to the left from the center and depicted using separate lines for reads and writes. Note that it is now almost certain that the top red line represents some sort of counter.</td></tr>
</tbody></table><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV2nMpiLbKoaYyPHvQpflRShwQw6fTl2_clJtGaI8oXNNCTLtGSw4szOKdcOaVE7Io5Afz5o_-Ix7g2DTcOoBB2ZpKVp9GkS2ntFWwCNGmi1AKorIXV-tGPNyVqs11MOa2QF9bRd-LQZk/s1600/sample_visualization3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="536" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV2nMpiLbKoaYyPHvQpflRShwQw6fTl2_clJtGaI8oXNNCTLtGSw4szOKdcOaVE7Io5Afz5o_-Ix7g2DTcOoBB2ZpKVp9GkS2ntFWwCNGmi1AKorIXV-tGPNyVqs11MOa2QF9bRd-LQZk/s640/sample_visualization3.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">On the center and a little below and to the right notice another loop - note the symmetry in the reads and writes relative positions. figuring out what it probably is is left as an exercise to the reader :P (you can also see this same loop from the top in the first picture to the left of the center)</td></tr>
</tbody></table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ9DH5VTwUMpwE08gj_Gxt3E6vnA-cDfTYlADFBH-w6rAPbXFmWKbwgV6_5SYAm_Gifi9K1PO-6n8wECI6nOUbGtF3dWeXWuh_eNpqVQLDgQCMy-oLh-yIkliQpb1hg97nWA1yy5lFNEs/s1600/sample_visualization2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ9DH5VTwUMpwE08gj_Gxt3E6vnA-cDfTYlADFBH-w6rAPbXFmWKbwgV6_5SYAm_Gifi9K1PO-6n8wECI6nOUbGtF3dWeXWuh_eNpqVQLDgQCMy-oLh-yIkliQpb1hg97nWA1yy5lFNEs/s640/sample_visualization2.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">~1000 memory accesses, note that blocks with relations are easily identifiable. Easy to see that a filtering capability is very valuable. finding more interesting patterns will require some more staring.</td></tr>
</tbody></table><br />
BTW, the ZIP files on google docs are downloadable - through "file" -> save original<br />
<br />
<b>-- The End (for today)</b><br />
Please leave a comment and share if you liked it.<br />
<br />
Posts or possibly talks or whitepapers in planning / phases of writing, though I don't know when I'll get to each particular item: "how I would go about blowing up batteries if I was 0xcharlie" (pending legal review - meaning it is too close to my work research and besides if batteries start blowing up there could be trouble...), "Fuzzing series part 2 - monitoring OR why I'm tired of hearing about !exploitable", "fuzzing series part 3 - fuzzing protocols from the RFCs using semi-context aware grammars", "how to attack HW using SW" (pending legal review - again close to work stuff), "Enough with the code coverage! - feedback driven fuzzing based on data coverage and taint analysis", "old/new heap attacks", "increasing exploit reliability". Every post or potential talk depends popular demand, free time and me not getting sued. <br />
<br />
-- Gal<br />
<ul></ul><div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com6tag:blogger.com,1999:blog-2373759610279545986.post-19090536524147069592011-06-07T15:04:00.000+03:002011-06-07T15:04:28.650+03:00The 3 phases of fuzzingThis post is going to be the first of a few discussing the art and science of fuzzing.<br />
<br />
Sooner or later we all fuzz something. When we do it is important to us (or at least to me) to spend time wisely to maximize results with a minimal effort. Some people think that only fuzzing dumbly and quickly is the way to go, while others think that only smart fuzzing will bring results against targets that had any prior fuzzing done on. I think both are wrong. For those that support dumb fuzzing I will point out <a href="http://research.microsoft.com/en-us/um/people/pg/public_psfiles/sage-in-one-slide.pdf">MS SAGE</a> work that found a ton of stuff after they ran dumb fuzzing on their applications. For those supporting only smart fuzzing I'd point the <a href="http://djtechnocrat.blogspot.com/2010/10/dumb-fuzzing-flash-player-zero-day.html">Adobe 1-byte bug</a> found by a dumb fuzzer not too long ago.<br />
<br />
So, here is my take on the question of dumb, smart or in-between fuzzing:<br />
<ol><li>In every project we should start with dumb fuzzing - making sure we don't miss the obvious by making our fuzzer too smart. This should happen in day one, as soon as we have a minimal understanding of the project we should write some dumb fuzzer and start running it - this is CPU cycles well spent. Usually we'll find something this way. We must also keep adjusting our </li>
<li>As we go on we start gaining a more in-depth understanding of the project we're working on. This is the time to start developing a smarter fuzzer. It is important to start from a slightly "dumb" smart fuzzer. Meaning one that has a minimal knowledge of the protocol or implementation details. We should have some hints on how to focus this fuzzer from our initial dumb fuzzer and what we found (or didn't find) there.</li>
<li>Finally it's time to bring out the big guns - we must build our "ultra smart" fuzzer. This one should be an evolution of the initial slightly "dumb" smart fuzzer we wrote. It should be based on our findings during the project - from fuzzing an other stuff we did. </li>
</ol><br />
<ul></ul>Well, that was my general view on fuzzing. Next post or posts will discuss why I'm tired of !exploitable or the question of monitoring while fuzzing and share a small tool / python code I'm working on whose purpose to make a "somewhat context aware" fuzzer for <a href="http://en.wikipedia.org/wiki/Context-free_grammar">context free grammars</a>. The final aim of this tool is to be able to fuzz stuff immediately from the <a href="http://en.wikipedia.org/wiki/Backus%E2%80%93Naur_Form">BNF</a> description found in many <a href="http://en.wikipedia.org/wiki/Request_for_Comments">RFCs</a>.<br />
<br />
-- Gal<div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com0tag:blogger.com,1999:blog-2373759610279545986.post-74864257106741964692011-06-07T14:58:00.000+03:002011-06-07T14:58:56.022+03:00BlackHat USA & Defcon 19It's been a while since I last wrote something here. I've been busy with work and working on conference stuff. I've been accepted to give a workshop on DBI in <a href="http://blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Diskin">BlackHat</a> and <a href="https://www.defcon.org/html/defcon-19/dc-19-speakers.html">Defcon</a> (my workshop is not listed yet on Defcon website) in August.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Nk6WskRurrSihePXiVkFAq2J0Q6lnmKZZqIlYTppfiogBs7KQlboGGT1AUVHH0gJacoq9816x6LJJckVHzcSPAS0N41chzNyFJEjUfQjYNJKvDAlNKs9FOtNFmHh-lUu8jp0Y66Uhbc/s1600/bh-us-11-125x125-speaker.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Nk6WskRurrSihePXiVkFAq2J0Q6lnmKZZqIlYTppfiogBs7KQlboGGT1AUVHH0gJacoq9816x6LJJckVHzcSPAS0N41chzNyFJEjUfQjYNJKvDAlNKs9FOtNFmHh-lUu8jp0Y66Uhbc/s1600/bh-us-11-125x125-speaker.png" /></a></div>This means a lot of work making the workshop and preparing to talk. Couple it with being busy at work and having to go on reserve duty in the IDF for two weeks starting next week and you will understand why I barely have time to write something. Anyways I've decided to post some thoughts and incomplete works here soon so it doesn't get boring so stay tuned.<br />
<br />
Since I'm giving a workshop on DBI I'm now looking for all works published to review the existing art known in the market and probably reference. <b><i><span style="font-size: large;">If you have anything you did, read or know of that uses DBI for security - using PIN or any other DBI engine - please share those with me here or on <a href="https://twitter.com/#%21/gal_diskin">Twitter</a></span></i> </b>you are also welcome to send me an email (if you can't figure out an address, you probably shouldn't reach me by email).<br />
<br />
-- Gal<div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com0tag:blogger.com,1999:blog-2373759610279545986.post-60037324297110893552011-05-07T17:49:00.000+03:002011-05-07T17:49:14.311+03:00Binary Instrumentation for Hackers<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">I've been planning to write something about the "Binary Instrumentation for Hackers" presentation I gave at the <a href="http://www.dc9723.org/Main_Page">Israeli Defcon user group (DC9723)</a> on 26 April right after the presentation but I kinda got sidetracked (which I will try to avoid from now on). At first I waited for the video to be online but right now I don't know if and when it will be online and later I got too busy with some work . Anyways, my slides are available <a href="http://files.dc9723.org/binary_instrumentation_dc9723.pdf">HERE</a> and if the video will be uploaded it will be <a href="http://www.youtube.com/user/dcg9723">HERE</a> (the slides are English but the presentation was given in Hebrew). I'd like to thank DC9723 organizers for having me, I hope to come back again someday.</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">Also, the slides from my lightning talk at <a href="http://hackitoergosum.org/">Hackito Ergo Sum</a> 2011 are up with the other conference slides <a href="http://www.slideshare.net/event/hackito-ergo-sum-2011/slideshows">HERE</a>.</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">I have (today) sent submissions of workshops and talks on the subject of binary instrumentation to <a href="http://www.blackhat.com/html/bh-us-11/bh-us-11-home.html">BlackHat USA</a> & <a href="https://www.defcon.org/html/defcon-19/dc-19-index.html">Defcon 19</a> (check out the Defcon site, it just opened), hopefully I'll get a chance to talk about some awesome stuff with the great people in attending these cons.</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
Oh, and if anyone happens to be in Amsterdam next week (15-21) for <a href="http://conference.hackinthebox.org/hitbsecconf2011ams/">HITB</a>, I'm there on business. I won't attend HITB but would love to meet anybody that actually reads my blog for a beer in the evening.</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">While we're at it, If you are in HITB don't miss <a href="http://www.ikotler.org/">Itzik</a>'s & <a href="http://imthezuk.blogspot.com/">Zuk</a>'s presentations - I know they have some kwel stuff planned. I also recommend going to see whatever <a href="http://travisgoodspeed.blogspot.com/">Travis Goodspeed</a> & <a href="http://www.criscio.net/">Claudio Crisocone</a> present - I haven't talked with them about the details of their presentations but they usually do great stuff. </div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">(yeah, in case it was unclear I'm disappointed to be in Amsterdam at the same time HITB happens and not attend HITB).</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">-- Gal</div><div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com3tag:blogger.com,1999:blog-2373759610279545986.post-74191174098745660682011-04-09T23:49:00.000+03:002011-04-09T23:49:34.477+03:00Hackito Ergo Sum 2011 - Day 3 (and last)<div style="font-family: Calibri; font-size: 11pt; margin: 0in;">Day 3 was another great day: we had a couple of cybercrime talks, Ruby on rails, DNIe , USB autorun for Linux and the solution to the conference crackme. I want to take a chance to thank the organizers, I really enjoyed this conference, the people were great and the talks interesting and I hope to be back next year, maybe even to present a talk.</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">As usual I welcome comments, either here or directly to me - feel free to let me know anything constructive. </div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><span style="font-weight: bold; text-decoration: underline;">Raoul Chiesa / Keynote</span></div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">Raoul's keynote focused on cybercrime and <a href="http://www.unicri.it/institute/">UNICRI</a> and their <a href="http://www.unicri.it/emerging_crimes/cybercrime/cyber_crimes/hpp.php">hacker profiling project (HPP)</a>. Cool quote - <i>"you got information, you got power"</i>. The talk was cool and included parts focusing on who's behind cybercrime that I won't recount here out of respect to the fact he asked not to record anything during these parts of the talk. He shared his views on why cybercrime works:</div><ul><li><span style="font-family: Calibri; font-size: 11pt;">New user every day = new fools every day</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Making money<span> </span>(fits to the economical crisis)</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Technical know how is easy to get</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Back in the day we worked hard to get something</span></li>
</ul><li><span style="font-family: Calibri; font-size: 11pt;">Easy to recruit idiots ("mules")</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Psychological - "they will never find me/bust me"</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Psychological - Lack of violent actions</span></li>
</ul><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">And how HPP classifies hackers:</div><ul><li><span style="font-family: Calibri; font-size: 11pt;">Amateur</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Wanna be lamer (9-16)</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Script kiddie (10-18)</span></li>
</ul><li><span style="font-family: Calibri; font-size: 11pt;">Hobbyist</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Cracker (17-30)</span></li>
</ul><ul><li><span style="font-family: Calibri; font-size: 11pt;">Ethical hacker (15-50)</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Quiet, paranoid, skilled hacker (16-40)</span></li>
</ul><li><span style="font-family: Calibri; font-size: 11pt;">Pros</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Cyber warrior (18-50)</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Industrial spy (22-45)</span></li>
</ul><ul><li><span style="font-family: Calibri; font-size: 11pt;">Gov agent (25-45)</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Military hacker (25-45)</span></li>
</ul></ul><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">He had a lot of interesting stuff to say and the talk actually went overtime. I can't possibly begin to recount even the public parts of the talk in a short summary but I highly advise you to listen to him if you get a chance.</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><span style="font-weight: bold; text-decoration: underline;">Joernchen of Phenolit / Ruby on Rails form a code auditor's perspective</span></div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">This talk focused on how to audit Ruby on Rails (RoR) code. Key points:</div><ul><li><span style="font-family: Calibri; font-size: 11pt;">3 layers called MVC - Models, Views, Controllers - review them</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Start from the controllers</span></li>
</ul><li><span style="font-family: Calibri; font-size: 11pt;">Look at the database</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Look at the filters</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">RoR has some fancy magic that can go wrong - for example: mass assignments (CCC.de had a vuln because of using this)</span></li>
</ul><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">Nice talk and definitely someone you should talk to if you audit RoR, personally this isn't in my focus areas. </div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><span style="font-weight: bold; text-decoration: underline;">Gabriel Gonzalez Garcia / Man in the Remote: PKCS 11 for fun and profit</span></div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">This talk focused on ways to defeat the <a href="https://www.eid-stork.eu/index.php?option=com_content&task=view&id=189&Itemid=69">DNIe</a> which is the Spanish government system of digital IDs used for authentication and non-repudiation certificates. Basically he implemented an attack against the untrusted terminal problem that the PC is posing between the DNIe device and what it authenticates to. There are two ways to use DNIe for web auth: Java applet or SSL + client certificate. The device itself has an EAL 4+ certification and defends against most hardware tampering attacks. What he found were two practical attacks on the terminal:</div><ol><li><span style="font-family: Calibri; font-size: 11pt; font-style: normal; font-weight: normal;">Write a fake interface library that acts as an RPC server connecting his machine with a remote DNIe</span></li>
<li><span style="font-family: Calibri; font-size: 11pt; font-style: normal; font-weight: normal;">Write a fake java applet that acts as the proxy and runs on the client machine (easier)</span></li>
</ol><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">He proposed a solution that I personally disagree with to use "distance bounding" == measure response time and disallow slow responses. </div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><span style="font-weight: bold; text-decoration: underline;">Jon Larimer / USB autorun attacks against Linux</span></div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">This talk focused on how to implement autorun attacks against Linux and showed one successful attack. To be exact it is successful against GNOME. So first of all the specs of <a href="http://freedesktop.org/">freedesktop.org</a> forbid systems from running code without asking the user. That being said a lot of processing is done when a new storage device is connected: file system drivers execute, file browsers read the contents and thumbnailers create thumbnails. These attacks are basically physical access which usually means "game over" because you can use DMA attacks using 1394 vulns and other attacks like cold boot attacks. However, assuming the latter is complicated for you and you are on a system where protections for against 1394 DMA attacks were implemented you need another way. From here on Jon described his processes of research which I will skip directly to the end - he decided to focus on Thumbnailers used by Nautilus (GNOME file manager). He found a vulnerability in the Evince thumbnailer for DVI files (among others). Luckily (or unfortunately, depending on you view) Evince uses AppArmor and compiles as PIE, in addition the kernel has ASLR enabled (but 32bit system). He worked on overcoming this:</div><ul><li><span style="font-family: Calibri; font-size: 11pt;">ASLR and PIE can be defeated by brute forcing - </span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">On a 32bit system there are only about 3000 addresses that the Linux kernel can load libc to. </span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Using this we can just generate 3000 files - 1 for each address</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Loading will be slow (about 10 min), but success is almost sure</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Interesting result he found were that in his statistics around 10% of the addresses were used significantly more than others</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">So you can create only about 300 files and have high chance of success</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">He says he didn't research why is this. This is something that someone should really pay attention to.</span></li>
</ul></ul><li><span style="font-family: Calibri; font-size: 11pt;">AppArmor can be worked around</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Doesn't protect against X11 library calls</span></li>
</ul></ul><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">He showed a demo of killing the lockscreen using a USB stick. Jon Oberhide added an interesting comment that there is a rather new layer for partition parsing in Linux that had a lot of bugs recently.</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><span style="font-weight: bold; text-decoration: underline;">Yuval Vadim Polevoy / Money is in the eye of the beholder: new and exciting ways to steal you money</span></div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">This talk again focused on Cybercrime, Yuval is from RSA research lab and really interesting to talk to. He focused on how cyber-criminals make money and the underground economy. I will recount some of the most interesting points, I'm not sure I can do justice to the details but that is the cost of summarizing...</div><ul><li><span style="font-family: Calibri; font-size: 11pt;">A cybercrime operation requires:</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Bots</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Campaign </span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Drop point</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Bot plugins</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Hiring & managing mules</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Establishing covert channels</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Maintain fast-flux (optional)</span></li>
</ul><li><span style="font-family: Calibri; font-size: 11pt;">The skill set required for that is:</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Low level programmer</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Oday researcher </span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Spammer</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Hosting owner</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">JS programmer</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">HR recruiter</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">E-commerce export</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">IT specialist</span></li>
</ul></ul><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">These are too many skills for most people, so the common solution nowadays is outsourcing parts of this effort to others. </div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">For the end, he focused a bit on the future techniques that malware authors will use, in particular screen grabbing. Yuval showed a demo of two techniques that can be used for screen grabbing in Windows, thus defeating on screen keyboard and allowing other stuff like cheating in online poker…</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><span style="font-weight: bold; text-decoration: underline;">Eloi Vanderbéken / Hackito Ergo Sum crackme</span></div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">For the end Eloi talked about the <a href="http://www.moonsols.com/Hackito2011/Hackito2011_Crackme.rar">crackme</a>. I won't go into all the details but here are the highlights: </div><ul><li><span style="font-family: Calibri; font-size: 11pt;">Verification alg - based on modified RC4</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Obfuscation</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Inst. Mutation</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Control flow graph obfuscation</span></li>
</ul><li><span style="font-family: Calibri; font-size: 11pt;">Encryption layers</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Direct native API call</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Using sysenter (also uses a lot of random invalid syscalls) which is why the crackme only worked on 32bit systems</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Anti-X</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Anti debugger</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Anti-instrumentation</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">This was especially interesting to me, in particular because Eloi used Pin as the example for instrumentation engine</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Detect hook on KiUserExceptionDispatcher nad KiUserCallbackDispatcher</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Detect stack reuse by instrumentation code: place a constant in esp-4, execute syscall, check constant</span></li>
</ul><li><span style="font-family: Calibri; font-size: 11pt;">Anti data-tainting </span></li>
</ul></ul><div style="font-family: Calibri; font-size: 11pt; margin: 0in;">This is definitely a respectable set of protections. Only 3 solutions were submitted. I might try to write a PinTool that will be able to handle all these protections and post it here if I can.</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><br />
</div><div style="font-family: Calibri; font-size: 11pt; margin: 0in;"><b>Well, that's it for Hackito this year - I hope you will read my future posts.</b></div><div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com0tag:blogger.com,1999:blog-2373759610279545986.post-61899081180575135942011-04-08T22:17:00.000+03:002011-04-08T22:17:26.954+03:00Hackito Ergo Sum 2011 - Day 2Day two of HES 2011 brought even more awesomeness. I will summarize the talks here:<br />
<br />
<u><b>Keynote - Rodrigo Branco (BSDaemon) / Behind the scenes: security research</b></u><br />
First up was Rodrigo giving a keynote ( which shows he is old :P ) he focused on the state of the industry and mentioned several key points that might be debatable:<br />
<ul><li>there are a lot of snake-oil security experts, its really hard to find real experts</li>
<li>0days are nowadays spreading in minutes to all vulnerable hosts</li>
<li>lots of "vulnerabilities" released are not exploitable or at best have an exploit that works only on the VM of the guy that developed it and nowhere else</li>
<li>The new generation of hackers is not coming - most of us grew in a time where using a computer was a challange, now its just plug&play, GUI, etc...</li>
<li>he went into security myths common in the industry</li>
</ul>I'll settle for repeating two interesting points he made since this is a short summary:<br />
<ol><li>What is the difference between rouge AV and a real AV?</li>
<ol><li>both do not guarantee anything</li>
<li>both have "premium options" you can buy</li>
<li>both have a nice GUI (although rouge AVs usually havea nicer one)</li>
<li>both will slow your system</li>
<li>both will have false alarms</li>
</ol><li>All companies benefit from having a security research team but you need to know how to build and work with one:</li>
<ol><li>Researcher brings real understanding of threats and security awareness</li>
<li>when choosing a researcher, select carefully</li>
<li>researcher are lazy so define expectation not a specific target</li>
<ol><li>if you know what you want you hire a developer, not researcher</li>
</ol><li>your team has to travel</li>
<li>expect to buy tools</li>
</ol></ol><br />
<u><b>James Oakley and Sergey Bratus / Exploiting the Hard-Working DWARF</b></u><br />
Due to circumstances I couldn't avoid I had to miss this talk which is really worthwhile. I have done some work on DWARF for instrumentation but was interested to see it from an exploitation point of view, especially since they say it is Turing complete.<br />
Slides (from shmoocon actually): <a href="http://www.cs.dartmouth.edu/%7Eelectron/dwarf/">http://www.cs.dartmouth.edu/~electron/dwarf/</a><br />
<br />
<i><br />
</i><br />
<u><b>Jon Oberheide & Dan Rosenberg / Stackjacking Your Way to grsecurity or PaX Bypass</b></u><br />
In this talk the authors showed how to exploit the Linux Kernel in spite of hardening mechanisms like GRSecurity or PaX. They took an interesting approach - not focusing on a specific vulnerability but making a minimal set of assumptions on the situation and showing any vulnerability and situation satisfying these assumptions can be exploited.<br />
<br />
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Kernel protection Assumptions:</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Zero knowledge of kernel address space</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Fully randomized kernel text & data</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Cannot introduce new code into Kernel address space</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Cannot modify kernel control flow (e.g. data only - no ROP)</span></li>
</ul><li><span style="font-family: Calibri; font-size: 11pt;">Attacker assumptions:</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">#1: can do arbitrary kmem write</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">Requires some knowledge of some kernel layout information leak to exploit</span></li>
</ul><li><span style="font-family: Calibri; font-size: 11pt;">#2: Kernel stack memory leak</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">AKA "the Dan Rosenberg" :P</span></li>
</ul></ul></ul><span style="font-family: Calibri; font-size: 11pt;">taking this into account they developed a 3-stage exploitation technique: KSTACK leak --> stack groping --> overwrite a specific part of thread_info struct. Going into details will require a whole post at least so I will mention the highlights only, for more details try <a href="http://jon.oberheide.org/">Oberhide's homepage</a> (nothing up yet) or <a href="http://drosenbe.blogspot.com/">Dan's blog</a> (seems abandoned). For now I will focus on two points:</span><br />
<ul><li><span style="font-family: Calibri; font-size: 11pt;">In order to get all the information needed from a Kernel stack leak they developed a library called "libkstack" - it works with a leak of 3-bytes and up.</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Stack grouping is a name to techniques they invented in order to actually exploit</span></li>
<ul><li><span style="font-family: Calibri; font-size: 11pt;">kernel_ds - invented by Dan R. focuses on using set_fs() to change addr_limit in the kernel</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Obergroupe - invented by Oberhide - uses a child process to clobber a process stack frame while it is inside a syscall (race condition)</span></li>
</ul></ul><span style="font-family: Calibri; font-size: 11pt;"></span><span style="font-family: Calibri; font-size: 11pt;">Exploitation is pretty safe and takes about 1-2 minutes according to their demo.</span><br />
<span style="font-family: Calibri; font-size: 11pt;"><br />
</span><br />
<span style="font-family: Calibri; font-size: 11pt;"><br />
</span><br />
<u><b>Richard Johnson – A Castle Made of Sand: Adobe Reader X Sandbox</b></u><br />
This talk went into detail regarding Adobe reader sandboxing and security, here are my takeaways:<br />
<ul><li>Adobe started using ASLR and DEP which is great, but only on new Windows systems. also seems implementaiton is partially lacking since some DLLs (e.g encryption) are loaded to a pre-defined address.</li>
<li>Adobe works on sandboxing using Win process privileges and IPC limitations, a lot more work is required</li>
<li>need to implement security features for non-Windows platforms as well</li>
<li>need to compile to 64 bit - will reduce chances of spraying</li>
</ul><br />
<br />
<u><b>Aaron Portnoy & Logan Brown / Concentrated Fire: Black Box Auditing Adobe Shockwave</b></u> <br />
The guys from <a href="http://dvlabs.tippingpoint.com/">TippingPoint</a> gave a similar talk to the one from CanSecWest so no need to go deep here. Some cool stuff:<br />
<ul><li><span style="font-family: Calibri; font-size: 11pt;">They use a lot of Dynamic Binary Instrumentation to analyze SW</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">Shockwave uses a private memory manager called SmartHeap</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">they crowd-sourced the exploitation of the crashes they discovered during Recon</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">If shockwave lacks a vulnerable component on your target don't worry - it will DL it for you :)</span></li>
<li><span style="font-family: Calibri; font-size: 11pt;">ZDI will not buy any more shockwave bugs or touch shockwave from now on!</span></li>
</ul><div style="margin-left: 40px;"></div><u><b><br />
</b></u><br />
<b><u><strong>Kevin Redon & Ravishankar Borgaonkar / femtocells : inexpensive devices to test UMTS security</strong></u></b><br />
<strong style="font-weight: normal;">For those of you that don't know a <a href="http://en.wikipedia.org/wiki/Femtocell">femtocell</a> is a small cellular base-station that works in a really limited range. Basically your phone connects to the femtocell that connects to your provider network over the internet. First part of the talk focused on taking control of the femtocell firmware, I will skip this except they used the recovery mode, which shows how careful you need to be with such features. you can buy a Femtocell in 12 countries, see <a href="http://www.femtoforum.org/femto/">femto-forum</a> for details. Once you are in control you can do some cool stuff:</strong><br />
<ul><li><strong style="font-weight: normal;"><a href="http://www.slideshare.net/Garry54/a-maninthemiddle-attack-on-umts">MITM on UMTS</a> </strong></li>
<li><strong style="font-weight: normal;">Calls are only encrypted between the phone and the femtocell, then sent in clear text</strong></li>
<ul><li><strong style="font-weight: normal;">showed a demo (that failed first time) of recording a call and capturing SMS messages</strong></li>
</ul><li><strong style="font-weight: normal;">Provider networks assume full trust in players so no firewalls, protections, etc... </strong></li>
<ul><li><strong style="font-weight: normal;">seems like easy targets from their description, no actual details provided</strong></li>
</ul><li><strong style="font-weight: normal;">3G / 4G phones can be attacked by the femtocell acting as the network provider</strong></li>
<ul><li><strong style="font-weight: normal;">again, no details were provided</strong></li>
</ul></ul><strong style="font-weight: normal;">This is still a research in progress, seems very promising. I recommend to follow.</strong><br />
<strong style="font-weight: normal;"><br />
</strong><br />
<strong style="font-weight: normal;"><br />
</strong><br />
<strong style="font-weight: normal;"><u><b>Lightning Talks</b></u></strong><br />
<strong style="font-weight: normal;">There were 3 lightning talks today:</strong><br />
<ul><li><strong style="font-weight: normal;">First one was mine, I got manipulated into doing it while drinking beer over lunch but it was really fun.</strong></li>
<li><strong style="font-weight: normal;">I talked about <b>"Binary Instrumentation for Hackers"</b> </strong></li>
<ul><li><strong style="font-weight: normal;">I presented a few select slides form the talk I'm working on (see earlier posts) explaining what can you do with binary instrumentation and and example <a href="http://www.pintool.org/">Pin </a>based binary instrumentation tool.</strong></li>
</ul><li><strong style="font-weight: normal;">After me Alex talked about his <b>Passive DNS</b> work</strong></li>
<ul><li><strong style="font-weight: normal;">See the <a href="http://pdns.circl.lu/">website</a></strong></li>
<li><strong style="font-weight: normal;">He showed a cool demo how it worked on the recent Lizamoon attack</strong></li>
</ul><li>Last talk for the day was joernchen<strong style="font-weight: normal;"></strong>on <b>Distributed Ruby </b>(dRuby) vulns</li>
<ul><li>to sum it up dRuby uses $SAFE which prevents you from calling arbitrary code (eval etc) by activating taint protection</li>
<li>unfortunately this doesn't work so well becasue you can still use syscall()</li>
<li>nice method to identify if you are one a 64bit or 32bit by using syscall(20) </li>
</ul></ul><br />
<strong style="font-weight: normal;">Well that's it for today, I hope I can keep the pace and publish a summary tomorrow as well.</strong><br />
<strong style="font-weight: normal;"> </strong><b><u><strong><br />
</strong></u></b><div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com0tag:blogger.com,1999:blog-2373759610279545986.post-5970492561546717272011-04-07T20:26:00.000+03:002011-04-07T20:26:28.566+03:00Hackito Ergo Sum 2011 - Second half of the first dayShort summaries of the talks in the second half of the first day:<br />
<br />
<br />
<u><b>Itzik Kotler / Let Me stuxnet you</b></u><br />
Although the name of the talk has Stuxnet in it it does not another one of these boring Stuxnet talks but focuses on Permanent DOS (PDOS) of your hardware using all sorts of methods. This is a research that is still WIP.<br />
Several key concepts:<br />
<ul><li>SW can harm HW by making it perform harmful operations</li>
<li>SW can harm FW and cause it to do harmful operations</li>
<li>SW can take advantage of one piece of HW to harm another HW</li>
</ul>PDOS can be achieved in many manners:<br />
<ul><li>Phlashing - overwriting FW on Flash to brick parts</li>
<li>over-clocking</li>
<li>over-volting</li>
<li>over-using - esp. in mechanical parts</li>
<li>power cycling - uses temperature flection</li>
</ul>Can attack CPUs, GPUs, RAM, HDDs, SSDs, Flash, NICs, CRTs, Floppys and more...<br />
Interesting focus on examples how to implement these attacks so the user doesn't realize it's done until his system dies.<br />
<br />
<u><b>Marc Heuse / Recent advanced in IPv6 insecurities</b></u><br />
This is Van Hauser from <a href="http://www.thc.org/">THC</a>. First part of the talk focused on IPv6 basics. He then covered some attacks against IPv6 he released since 2005 and then went on to talk about new attacks - I'll try to cover everything real quick. In particular I liked the quote: <b><i>"if you start fuzzing things will blow up"</i></b>.<br />
First it is important to mention the <a href="http://www.thc.org/thc-ipv6/">THC IPv6 attack tool</a> he is developing, many parts of which are not yet released BUT if you join the dev team he is willing to share (and he is looking for help)... He also released a new version of <a href="http://www.thc.org/thc-hydra/">THC Hydra</a> during his talk.<br />
So, a real quick overview of IPv6 attacks he mentioned (only the headlines or I won't finish this post):<br />
<ul><li>ARP Spoofing => ND spoofing</li>
<li>Duplicate address detection DOS</li>
<li>Many ways to MITM using redirects</li>
<li>Using Autoconfig (like DHCP but built in IPv6) for pretending to be a router</li>
<li>Replacing the default router using lifetime=0</li>
<li>Most Linux distros (and in general) don't filter most IPv6, especially weird headers</li>
<li>Can announce a remote network as local to spoof it</li>
<li>RA flooding - can DOS cisco, Netscreen, all Windows, FreeBSD, some Linux</li>
<li>you can detect systems sniffing on your local network</li>
<li>taking over as MLD</li>
<li>side channels in IPv6</li>
<li>techniques to identify remote systems (can't scan 16 octets!)</li>
</ul><br />
<br />
<u><b>Tarjei Mandt / Kernel pool exploitation on Win7</b></u><br />
This talk was too technical to go into details in a brief summary - <a href="http://mista.nu/blog/2011/01/08/kernel-pool-exploitation-on-windows-7/">see the slides</a> for details.<br />
The short version is as following: Win7 has protections in the kernel pool - these are not good enough. several tehcniques were invented by Tarjei to bypass these and two exploits for CVEs were shown.<br />
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3939">CVE-2010-3939</a> (MS10-098) - Used Quota process pointer to exploit<br />
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1893">CVE-2010-1893</a> (MS10-058) - Used Pool index overwrite to exploit<br />
If you like kernel exploits on Windows you really should check out Tarjei's slides and blog.<br />
<br />
<br />
<u><b>Sebastien Tricaud / Capture me if you can!</b></u><br />
Sebastien discussed handling incidents in large networks (country level). He talked about capture methods like: PCAP, netfilter queue, DAQ and others. And on data processing techniques - how to find meaningful information in logs. He made a very convincing point on log "0day" - due to not collecting or collecting information incorrectly you can lose important information,<br />
In my view, the most interesting news in the talk were:<br />
<ul><li>Using visualization to handle large data sets (not a new idea, I admit):</li>
<ul><li>Several interesting projects:</li>
<ul><li>Secviz - <a href="http://www.secviz.org/">http://www.secviz.org</a></li>
<li>Circos - <a href="http://mkweb.bcgsc.ca/circos/software/download/circos/">http://mkweb.bcgsc.ca/circos/software/download/circos/</a></li>
</ul></ul><li>Using GPGPU for accelerating log processing:</li>
<ul><li style="margin-bottom: 0pt; margin-top: 0pt; vertical-align: middle;">NetGPU - <a href="http://code.google.com/NetGPU"><span style="font-family: Calibri; font-size: 11pt;">http://Code.google.com/NetGPU</span></a></li>
</ul></ul><br />
<span style="font-family: Calibri; font-size: 11pt;">Well, I hope you enjoyed; Please leave a </span>comment. I will try to keep up in the next two days...<div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com0tag:blogger.com,1999:blog-2373759610279545986.post-48109296226221814332011-04-07T14:48:00.000+03:002011-04-07T14:50:50.507+03:00Hackito Ergo Sum 2011 - The first half dayThe first half day of HES 2011 is done. The first two talks were pretty cool, I'm gonna post some quick summaries:<br />
<br />
<u><b>Keynote - Eric Freyssinet / hacking investigations </b></u><br />
Eric manages a team in the Gendarmerie (one of the two French police forces) that focuses on internet investigations. He was formerly working in Forensic analysis team in same org. His team opens over 600 cases per year, focusing on child porn and most of the rest on fraud.<br />
Mentioned a trend of serious cyber-criminals using kids as "mules" to perform crimes. e.g. a 14 year old from an online hacker community was used as a mule to transfer money from hacked PayPal accounts to the criminal's accounts.<br />
He mentioned a bit about anonymous and said they coordinated some of their attacks against Bank of America from French servers that his team had to take down. He also mentioned the recent espionage case against French govt. and that leads point to China and that they're trying to work with Chinese authorities to find the sources.<br />
<br />
<u><b>Mate Soos / Breaking Industrial Ciphers at a Whim</b></u><br />
I really enjoyed this talk. Anybody that is security minded knows that you shouldn't invent your own crypto, especially not closed source one because:<br />
A. it will be reverse enigneered<br />
B. it will probably be broken<br />
Mate focused on HiTag2 which is a Philips cipher used for access control for cars, military bases, etc...<br />
He basically converts the problem to a <a href="http://en.wikipedia.org/wiki/Boolean_satisfiability_problem">SAT</a> problem in <a href="http://en.wikipedia.org/wiki/Conjunctive_normal_form">CNF</a> format and then feeds it to a SAT solver - really cool. He estimates it shouldn't take more than 48 hours to break a HiTab2 key from transaction data.<br />
Mate is one of the lead devs on the open source <a href="http://www.msoos.org/cryptominisat2">CryptoMiniSat</a> project that won SAT Race 10. He also had some cool visualizations I hope he will share on his <a href="http://www.msoos.org/">homepage</a>.<br />
<br />
<br />
<br />
I have high hopes for Itzik's talk about permanent denial of service in the afternoon<div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com0tag:blogger.com,1999:blog-2373759610279545986.post-38243906349582087822011-04-02T21:24:00.000+03:002011-04-02T21:24:50.926+03:00Instrumentation, Hackito Ergo Sum and this week in the newsWell, it's been a week so I guess it's time to post something.<br />
<br />
I haven't had a lot of time this week to do stuff I can write about in this blog because I was really busy @ work. In and of itself that is cool becuase being busy at work usually means I'm doing some cool hacking but unfortunately I can't talk about my work here. <br />
<br />
<b><u>Binary Instrumentation for Hackers</u></b> <br />
In the limited free time I had I have been working on a presentation called <b><i>"Binary instrumentation for hackers"</i></b>, I hope to present it at <b><a href="http://wiki.dc9723.org/">DC9723</a> April meeting</b>, anybody coming? This presentation will probably become the base to a workshop proposal I plan on submitting to BlackHat USA 2011.<br />
I also plan to post some material on binary instrumentation here so stay tuned. If you use instrumentation for hacking / security purposes please leave a comment - I'm really interested to know what others do.<br />
<br />
<b><u>Hackito Ergo Sum 2011</u></b><br />
I'm going to attend HES 2011 (Apr 7-9). If you are going there let me know and I'll buy you a beer. This is a limited time offer to celebrate the start of this blog and I can afford about 10 beers so FCFS.<br />
If you are not there, stay tuned: the <a href="http://hackitoergosum.org/schedule/">schedule </a>(<a href="http://hackitoergosum.org/wp-content/uploads/2011/03/Hackito_Ergo_Sum_2011_Schedule1.pdf">PDF</a>) looks awesome and <b>I will try to post write-ups about the talks </b>right here<b>.</b><br />
<br />
<b><u>News stuff</u>:</b><br />
Well, I can talk about the <a href="http://blogs.rsa.com/rivner/anatomy-of-an-attack/">RSA APT</a> and whether or not it is an APT or about <a href="http://isc.sans.edu/diary.html?storyid=10642">LizaMoon</a> or the new SCADA attacks from <a href="http://www.gleg.net/">GLEG</a> (and also Tenable and VUPEN) and even about the funny false alarm about <a href="http://www.networkworld.com/newsletters/sec/2011/040411sec1.html">Samsung installing keyloggers </a>on their laptops but I don't have the patience so follow the links if you didn't already hear about all this stuff.<br />
I also saw an interesting post about <a href="http://nativassaf.blogspot.com/2011/03/cruisecontrol-reporting-attention.html">CRAP</a> in Assaf Nativ's Blog (home automation and fw/hw hacking). <br />
<br />
-- Gal<br />
<br />
p.s - feel free to comment with your opinions, requests, ideas how to improve this blog or just whatever<div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com1tag:blogger.com,1999:blog-2373759610279545986.post-4184926152063724622011-03-26T15:20:00.000+02:002011-03-26T15:20:12.419+02:00Hi EveryoneThis is my first time writing a blog. I'm also pretty new to the entire idea of sharing my personal hacking activities with others. What I'm trying to say is please don't hesitate to send me comments or advice - I will appreciate all inputs.<br />
<br />
I guess I should start by introducing myself - I work for <a href="http://security-center.intel.com/">Intel </a>as a security researcher leading a team doing security evaluation of various future products and technologies. I've been a private consultant in the past and also did some security work for the IDF during my duty service.<br />
I've been hacking since I got access to a computer at the age of 5 and I don't plan to stop. <br />
In my personal research I have been recently focusing on car systems and traffic management systems. I tend to diverge a lot so don't expect me to post only on these topics. I usually try to hack everything that falls into my hands (hence the blog name).<br />
<br />
And to introduce this blog, here is some stuff I think I will post about:<br />
<ul><li>security and hacking news</li>
<li>latest and greatest in my personal research e.g. using <a href="http://en.wikipedia.org/wiki/Radio_Data_System">RDS </a>to attack car radios and other car systems</li>
<li>just stuff I'm messing with recently, e.g. my favorite android ROM (I use <a href="http://www.cyanogenmod.com/">CM7</a>)</li>
<li>my thoughts on computer security and hacking</li>
<li>analysis of vulns, e.g. exploitation of the recent flash 0-day</li>
<li>security tool reviews </li>
<li>reports on conferences I go to reports, e.g. I will be in <a href="http://hackitoergosum.org/">HES 2011</a> soon</li>
<li>websites & blogs I like, e.g. <a href="http://travisgoodspeed.blogspot.com/">Travis Goodspeed's blog</a></li>
<li>I may also foray into "<a href="http://www.makezine.com/">maker</a>" territory from time to time</li>
</ul>Well, I guess that's enough for the introduction.<br />
<br />
-- Gal<div class="blogger-post-footer">Please visit the blog www.diskin.org and let me know your opinions</div>Gal Diskinhttp://www.blogger.com/profile/07800877129438051009noreply@blogger.com1