VeraData data loss prevention.

Insider threats are something that enterprises face daily. Whether it’s a disgruntled employee or one who’s been fired recently; a large percentage of data leakage has been attributed to insider thefts. Usually there’s not much that anyone could have done about it. Most of the data leakage occurs through USB or some other storage medium or sometimes, email. This is where data loss prevention programs come into play. Data loss prevention is the field of preventing secure data from leaving a site. It utilizes various technologies such as network monitoring, end point policing and others to ensure that the data that does leave is not ones that are marked as confidential or important to the business. However most of the current data loss prevention solutions that exist does not take into account slight modifications that occur on the target files. Another thing that is common in the security industry is to use software to implement data loss prevention. Although software based data loss prevention has its merits, software that’s not on a dedicated system run the risk of being influenced by malware or other malicious causes. All these reasons contributed to the research of a new data loss prevention system at Icarus Labs.

VeraData is the latest offering from IcarusLabs. It allows you to control your data and its movements. It uses single board computers such as the Raspberry Pi as it’s operating hardware. Before it begins, a list of confidential data is selected by a trusted employee using the VeraData control panel. VeraData then creates fuzzy hashes of all the files listed as confidential. These hashes are then stored at all the endpoints at which the VD devices are deployed. When a USB storage device is brought for scanning, VeraData software scans the entire contents of the device and then creates fuzzy hashes for each of them. The hashes are then compared against listed confidential files. If the similarity percentage is above a certain threshold, an alert is triggered. The main reason that we chose to use fuzzy hashes over normal hashes is that this allows VeraData to not only recognize documents in their original form but also ones that have been edited slightly. The amount of change to be detected can be set at the control panel.

By using embedded platforms as well as fuzzy hashing, VeraData improves on existing data loss prevention software by a large amount. Another important feature is it’s cost effectiveness. The entire package can be setup and initialized at a fraction of the cost of current implementations.

For more details contact: founder@cysecurity.org

Arduino and Microwave Sensor

A while back we wrote about the microwave sensor (http://icaruslabs.cysecurity.org/microwave-motion-detection-system). A PoC is ready for demonstration. Once again we are using an Arduino board for this project. For use in the field we will be using a standalone AVR or maybe a Parallax Propeller board. The microwave sensor outputs the data through a single pin. The frequency of the signal being output changes in proportion to the speed it is detecting. The arduino reads the output through findFrequency function. Since the frequency varies along with the speed of movement, findFrequency returns a value that is directly proportional to the speed of the object’s motion that it is detecting. As you can see in the schematic below, we’ve attached 3 LEDs to measure the speed. If no motion is detected, none of the LEDs will light up. If some motion is detected, the first led will light up. If there is a somewhat faster motion, two of the LEDs will simultaneously light up and if there is a very fast motion, all three will light up.

microwave motion

What differentiates this setup from normal motion detectors is the fact that it is capable of penetrating solid objects such as walls and doors. It could be of immense importance during situations where a direct line of sight is impossible or just not viable such as disaster or high risk areas.

working prototype

Here is the Arduino code that we used:

int pin= 7;
int led1= 8;
int led2= 9;
int led3=10;
unsigned long time;
void setup()
{
  Serial.begin(9600);
  pinMode(pin, INPUT);
  pinMode(led1,OUTPUT);
  pinMode(led2,OUTPUT);
  pinMode(led3,OUTPUT);
}

void loop()
{
  int out= findFrequency(pin);
  Serial.print(out);
  Serial.print("\n");
 if(out==-1)
 {
digitalWrite(led1,LOW);
digitalWrite(led2,LOW);
digitalWrite(led3,LOW);
delay(100);
 } 
else if(out<30)
 {
digitalWrite(led1,HIGH);
digitalWrite(led2,LOW);
digitalWrite(led3,LOW);
delay(100);
 }
 else if(out<90)
 {
digitalWrite(led1,HIGH);
digitalWrite(led2,HIGH);
digitalWrite(led3,LOW);
delay(100);
 }
 else if(out<2000)
 {
digitalWrite(led1,HIGH);
digitalWrite(led2,HIGH);
digitalWrite(led3,HIGH);
delay(100);
 }

}
 long findFrequency(int pin) {
  long freq = 0;
  freq= 500000/pulseIn(pin, HIGH, 250000);
  return freq;
}

InfraRed replay attacks.

Infrared communication has been around since at least since the late 90s. Right now it exists in a variety of devices including but not limited to cell phones, TV remotes and traffic light displays. Most of the IR communication that takes place currently does so in the remote control rather than in the data transfer field. So basically IR use boils down to TV or laptop remotes. Unlike car keyfobs which use rolling codes so that replay attacks cannot happen, infrared remotes do not have any inbuilt protection mechanism. It is very trivial to build a replay device which will capture the data and then retransmit it whenever we choose to. For the purpose of demonstrating this we’ll use an Arduino Uno along with a TSOP382 IR receiver and an IR led. We’ll use Ken Shirriff’s IR library to replay the IR signals.

The process however is not as straightforward as it seems. IR actually has a number of protocols that differ from each other vastly. The main protocols are Sony, NEC, Philips RC5 and RC-6 and some other less well known protocols. Ken’s code takes care of the different cases associated with all these protocols too.

The wiring diagram is given below as well as some pictures to better understand the wiring. Point the remote that you want recorded at the receiver and press any key. This will lead to the Arduino recording the signal. Later, when you want to replay the signal just press the button on the bread board.

IR Recorder Diagram

Although this might seem like a novelty hack, it actually has some serious implications. Other than the usual TV monitors, some security monitors and CCTV cameras also have IR ports which can lead them to being turned off using this device. All the attacker needs to do is to get close enough to record the poweroff signal once.

* Version 0.11 September, 2009
 * Copyright 2009 Ken Shirriff
 * http://arcfn.com
 */

#include 

int RECV_PIN = 11;
int BUTTON_PIN = 12;
int STATUS_PIN = 13;

IRrecv irrecv(RECV_PIN);
IRsend irsend;

decode_results results;

void setup()
{
  Serial.begin(9600);
  irrecv.enableIRIn(); // Start the receiver
  pinMode(BUTTON_PIN, INPUT);
  pinMode(STATUS_PIN, OUTPUT);
}

// Storage for the recorded code
int codeType = -1; // The type of code
unsigned long codeValue; // The code value if not raw
unsigned int rawCodes[RAWBUF]; // The durations if raw
int codeLen; // The length of the code
int toggle = 0; // The RC5/6 toggle state

// Stores the code for later playback
// Most of this code is just logging
void storeCode(decode_results *results) {
  codeType = results->decode_type;
  int count = results->rawlen;
  if (codeType == UNKNOWN) {
    Serial.println("Received unknown code, saving as raw");
    codeLen = results->rawlen - 1;
    // To store raw codes:
    // Drop first value (gap)
    // Convert from ticks to microseconds
    // Tweak marks shorter, and spaces longer to cancel out IR receiver distortion
    for (int i = 1; i <= codeLen; i++) {       if (i % 2) {         // Mark         rawCodes[i - 1] = results->rawbuf[i]*USECPERTICK - MARK_EXCESS;
        Serial.print(" m");
      } 
      else {
        // Space
        rawCodes[i - 1] = results->rawbuf[i]*USECPERTICK + MARK_EXCESS;
        Serial.print(" s");
      }
      Serial.print(rawCodes[i - 1], DEC);
    }
    Serial.println("");
  }
  else {
    if (codeType == NEC) {
      Serial.print("Received NEC: ");
      if (results->value == REPEAT) {
        // Don't record a NEC repeat value as that's useless.
        Serial.println("repeat; ignoring.");
        return;
      }
    } 
    else if (codeType == SONY) {
      Serial.print("Received SONY: ");
    } 
    else if (codeType == RC5) {
      Serial.print("Received RC5: ");
    } 
    else if (codeType == RC6) {
      Serial.print("Received RC6: ");
    } 
    else {
      Serial.print("Unexpected codeType ");
      Serial.print(codeType, DEC);
      Serial.println("");
    }
    Serial.println(results->value, HEX);
    codeValue = results->value;
    codeLen = results->bits;
  }
}

void sendCode(int repeat) {
  if (codeType == NEC) {
    if (repeat) {
      irsend.sendNEC(REPEAT, codeLen);
      Serial.println("Sent NEC repeat");
    } 
    else {
      irsend.sendNEC(codeValue, codeLen);
      Serial.print("Sent NEC ");
      Serial.println(codeValue, HEX);
    }
  } 
  else if (codeType == SONY) {
    irsend.sendSony(codeValue, codeLen);
    Serial.print("Sent Sony ");
    Serial.println(codeValue, HEX);
  } 
  else if (codeType == RC5 || codeType == RC6) {
    if (!repeat) {
      // Flip the toggle bit for a new button press
      toggle = 1 - toggle;
    }
    // Put the toggle bit into the code to send
    codeValue = codeValue & ~(1 << (codeLen - 1));
    codeValue = codeValue | (toggle << (codeLen - 1));
    if (codeType == RC5) {
      Serial.print("Sent RC5 ");
      Serial.println(codeValue, HEX);
      irsend.sendRC5(codeValue, codeLen);
    } 
    else {
      irsend.sendRC6(codeValue, codeLen);
      Serial.print("Sent RC6 ");
      Serial.println(codeValue, HEX);
    }
  } 
  else if (codeType == UNKNOWN /* i.e. raw */) {
    // Assume 38 KHz
    irsend.sendRaw(rawCodes, codeLen, 38);
    Serial.println("Sent raw");
  }
}

int lastButtonState;

void loop() {
  // If button pressed, send the code.
  int buttonState = digitalRead(BUTTON_PIN);
  if (lastButtonState == HIGH && buttonState == LOW) {
    Serial.println("Released");
    irrecv.enableIRIn(); // Re-enable receiver
  }

  if (buttonState) {
    Serial.println("Pressed, sending");
    digitalWrite(STATUS_PIN, HIGH);
    sendCode(lastButtonState == buttonState);
    digitalWrite(STATUS_PIN, LOW);
    delay(50); // Wait a bit between retransmissions
  } 
  else if (irrecv.decode(&results)) {
    digitalWrite(STATUS_PIN, HIGH);
    storeCode(&results);
    irrecv.resume(); // resume receiver
    digitalWrite(STATUS_PIN, LOW);
  }
  lastButtonState = buttonState;
}

Microwave motion detection system

Motion detection systems are nothing new. There are a lot of sensors and products out there that will allow the detection of movement. Unfortunately most of these products need a line of sight to work. However microwave sensors that work in the 10 Ghz frequency are now available in the market that can sense movements even behind walls or other obstructions. Currently Icarus Labs is working on an implementation of the sensor for tactical and rescue scenarios. An integrated solution is being built that will have the sensor, a battery pack,a radio, an output display and a microcontroller for controlling all of the above. For prototyping purposes, an AVR microcontroller is being used. One of the scenarios in which we hope the system will be useful is in rescue operations.
Firefighters or other rescuers can use the sensor to detect if there is movement below the rubble.
Another use case is tactical situations in which law enforcement officials need to know if there is anybody on the opposite side of a wall or door. The small form factor along with the radio ensures that this can even be operated remotely. As of now, a working prototype has been made and is being tested out against a variety of environments. A simple version can be built for as low as Rs.5000.

Nmap Static File Fingerprinter

Nmap is one of the most indispensable tools in a network engineers analyst toolkit. Whether it is to fingerprint an OS or check for signs of infection, Nmap has plugins or scan modes that’ll help you. The most interesting part about Nmap is its scripting engine. The NSE or Nmap Scripting Engine allows you to create scripts in Lua which are able to access the scan results of Nmap and act on it. It allows you to create customized scripts that do everything from crawling web applications to checking for Conficker infections.

I’ve been working on a script that would enumerate web applications using hashes. Currently the http-enum library recognizes web applications by grepping the entire page, which is resource intensive and prone to false positives. This script stores the hashes of static files in web applications in a separate file. When the script is executed with a resource parameter which contains the file to check for, the file is obtained from the server, hashed and the hash is compared to the list. This allows you recognize web applications based on their files.

Code: https://gist.github.com/Sp3ctr3/5786362

Database file:https://gist.github.com/Sp3ctr3/5788511

Put the static file in nselib/data folder

It’ll be better to install the latest nmap version from svn since it’ll have the latest version of NSE too.  Run:
svn co https://svn.nmap.org/nmap
./configure
make
make install

Copy staticfile.db to /usr/share/nmap/nselib/data and the http-staticfile.nse to /usr/share/nmap/scripts

To scan the changelog file of a web application located at /changelog.txt use nmap as follows:
nmap --script http-staticfile --script-args=resource=/changelog.txt target_ip

This will scan the web applications changelog.txt file and return an entry if it’s found in the hash list.

 

Raspberry Pi Malware Scanner

USB devices are the bane of security conscious personnel in corporate environments. No matter how secure the network perimeter is, the moment an unwitting person brings in a USB storage device containing a malware, the entire system will be compromised. This is how malware such as Flame and Stuxnet spread.
IcarusLabs, Cyber Security & Privacy Foundation have created a program that would turn the Raspberry Pi, a small computer running Linux, into a handheld malware scanner. A person can plug in a USB that is to be scanned into the device. The Pi will scan all the files in the device and check the signatures of 44 different antivirus providers to see if the file is malicious or not. This is done by obtaining a unique value associated with every file, called an MD5 hash, for each file and then submitting it to a server for processing. The server will see if the file is present in its malware database and respond accordingly.
The red LED lights up when a malware is detected in the USB
As a device this has many uses. In certain corporate environments, USB devices are not allowed because they would contain malware. This device can be deployed at entrypoints where it will be used to scan the USBs that are allowed in. This will prevent malicious software from getting in. The program is also made in such a way that once it is started, no further maintenance would be necessary. Even non technically oriented personnel like security guards can use it.
Currently it has been developed as a proof of concept. If any organisation would like to know more, all communications should go through  founder@cysecurity.org .

PyTriage

I’ve been reading the Malware Analyst’s Cookbook for the past few days and I got inspired by the programming recipes shown in the book to create an integrated malware analysis framework. I’ve created a bare bone version of it and I intend to add more functionality to it. My intention was to create a program that would allow an analyst to obtain all the information about a file on one screen instead of using multiple tools and pooling the data. As of now only static analysis and signature generation for Yara and ClamAV is implemented. I hope to add dynamic analysis and some disassembly functionality later on.

You can get PyTriage from:

https://github.com/Sp3ctr3/PyTriage

There are some dependencies that you will need to satisfy first: Simplejson, magic and pefile.

For simplejson refer to my earlier post. For python magic
sudo apt-get install python-magic

and pefile can be obtained by:
sudo pip install pefile

Once you have the requirements for the script satisfied, you might need to install clamAV and Yara for trying out the signatures that are automatically generated by the application:
sudo apt-get install clamav

Yara can be downloaded from https://code.google.com/p/yara-project/.

The program has a curses GUI and can be launched by typing:
python pytriage.py

The initial screen that you get should look something like this:

pytriage1
Each of the red letters are hotkeys. We have to choose a file first, so we press F:

pytriage2

and then O.

pytriage3

 

A listing of the files in the current folder will appear. Type the number of the file that you want to analyse and press Enter.

pytriage4

To see a basic overview of the files properties press I. The info tab will open up:

pytriage5

 

As you can see, it has important information like the MD5 and SHA1 hashes of the file, what all sections are there in the PE alongside their hashes and their sizes and the type of file present.

To see the imported DLLs as well as the exported function can be seen by pressing A. This switches over to Advanced tab showing:

pytriage6

The program has functionality that allows you to upload the hashes of the file to VirusTotal and check if it’s malicious. To use this, press S. The script will switch to the Submit tab. You have to wait a few seconds as it is querying the database of VirusTotal. Since I was using the Stuxnet sample, the following will be the result.

pytriage7

Now that we know that file is malicious, we can generate signatures for it in the Generate tab. Press G:

pytriage8

PyTriage will allow you to generate signatures for Yara and ClamAV. To generate for Yara, press Y or for ClamAV press C.

The Clam signature will be written to clam.hdb and Yara signature to sig.yara.

 

Yashin Mehaboobe

 

VirusTotal Scanner

Malware analysis is a very exciting but long task. Sometimes instead of reinventing the wheel, you need to just check if the binary you’re analyzing has already been detected and analyzed by the major AntiVirus companies. There are various sites that allow you to submit binaries and check them against a large list of AV databases. I’ve written a short script here that’ll allow you to automate the process.

https://gist.github.com/Sp3ctr3/5689969

import sys
try:
 from termcolor import colored,cprint
except:
 print "[*]Please install termcolor[*]"
 sys.exit()
try:
 import simplejson
except:
 print "[*]Please install simplejson library[*]"
import urllib
import urllib2
import hashlib
import os
def check(rsc,file):
    parameters= {"resource":rsc,"apikey":"VIRUS_TOTAL_KEY"}  
    data = urllib.urlencode(parameters)
    req = urllib2.Request(url,data)
    response = urllib2.urlopen(req)
    try:
     dt=simplejson.load(response)
    except:
     cprint(file+": Server Error","yellow")
     return
    if dt and dt.get('positives'):
     cprint("%s INFECTED Detections:%d AV "%(file,dt.get('positives')),'red')
     dt=""
    else:
     cprint("%s CLEAN"%(file),'green')
if len(sys.argv) is not 3:
 print "Usage:\n"+sys.argv[0]+" OPTIONS"
 print "OPTIONS:\n -f file_name\n -d directory_name"
 sys.exit()
url= "https://www.virustotal.com/vtapi/v2/file/report"
if sys.argv[1]=="-d":
 path=sys.argv[2]
 for (path, dirs, files) in os.walk(path):
  for file in files:
     f = open(os.path.join(path,file),'rb')
     filehash = hashlib.md5()
     response=None
     while True:
         data = f.read(10240)
         if len(data) == 0:
             break
         filehash.update(data)
     rsc=filehash.hexdigest()
   # print rsc
     check(rsc,file)
if sys.argv[1]=="-f":
 f=open(sys.argv[2])
 filehash=hashlib.md5()
 while True:
   data = f.read(10240)
   if len(data) == 0:
    break
   filehash.update(data)
 rsc=filehash.hexdigest()
 check(rsc,sys.argv[2])

This python script will scan the directories or a specific file that you specify and will upload the MD5 to the VirusTotal servers for checking. It’ll return information on whether the file is infected and if it is, how many AVs recognize it.

Please note that you need to have termcolor and simplejson installed on your system. This can be installed via pip:

First install pip:

sudo apt-get install pip

Then install termcolor and simplejson modules via pip:

sudo pip install termcolor simplejson

For Windows user prepackaged binaries are available at:

http://www.lfd.uci.edu/~gohlke/pythonlibs/

 

After you have installed both, you’ll need to apply for an API key from VirusTotal. It’s free and instantly available at www.virustotal.com . Once you get it paste it in the script in the VIRUS_TOTAL_KEY. Now you’re script is ready for scanning.

To scan a file run:

python avcheck.py -f FILE_NAME

To scan a directory:

python avcheck.py -d FOLDER_NAME

Detections will be displayed in red. Please note that the public API limits requests to 4 requests per minute. If you need more, contact VirusTotal for a private API.

A quick demonstration:

I’m downloading a few malware samples to show you that the script works. I get the Duqu and Stuxnet samples from http://openmalware.org/ and eicar.com malware test file from www.eicar.org/download/eicar.com.txt .

I put them all in a folder named malcode along with a file containing the string “benign” as a test case and ran:
python avcheck.py -d malcode/

Note that the EICAR file shows detection across all AVs.

Note that the EICAR file shows detection across all AVs.

 

Yashin Mehaboobe

ATM Security

Here in India, everyone has an ATM card. But most are not aware of the security that is being implemented in these cards and so is often scammed out of money. Card skimmers or carders as they are known in the hacker community are purely motivated by money and will stop at nothing to get yours. The technological sophistication of similar criminals range from the local ruffian who will snatch your wallet and extort the pin out of you to the techno-crooks who will fit skimming machines to the Point of Sale devices in most retail shops. Let’s first go over what protections,if any, your ATM card offers against such attackers. Your account data is stored in your ATM card along with a PIN verification number. Most banks in India today store this in the form of magnetic stripes. These are the black stripes you see along the top end of the back side of your card. If the PIN you enter does not match the one indirectly stored on the card, then the transaction won’t go through. Once the ATM makes sure the PIN and the card matches, it usually contacts the Bank via a dial up connection. It then goes through with the transaction if the account has sufficient balance. Some banks issue a card with electronic chip technology to further improve the security.

Seems like a pretty secure mechanism overall doesn’t it?
Unfortunately no.
There are various ways in which the carders can get money from you and in some cases just “jackpot” the entire ATM.
Most successful cases of ATM fraud comes from skimming machines. These are little devices attached to the ATMs as unobtrusively as possible. The thing about magnetic stripes on the back of the ATM cards is that the data can be read off these using openly available machines. From there it’s a short jump to creating readers that will fit over the ATM card receptacle. The look of the skimming machine will vary from case to case. The advent of 3d printers have made it very simple to create look alikes. But in most cases these will be flimsy and fitted loosely to the original machine. Here are a few pictures courtesy of  www.krebsonsecurity.com:
ATM skimmer removed.
Pin Hole Camera in an ATM skimmer

These machines will grab Track 1 and Track 2 information off a magnetic stripe. These are the information that identifies a card and contains the PIN verification key. To get the PIN most skimmers usually use either a pin hole camera or an overlay keypad. The camera will record the PIN visually and

is pretty easy to foil. Just cover the PIN pad with your hands as you type it in. The second is more advanced and requires careful examination to detect. Once the crooks have your magnetic stripe data as well as your PIN, your account is at their mercy. Also be wary of the classic shoulder surfing attack. So how do we detect and prevent such attacks?
  • Always use ATMs you are familiar with.
  • Check the ATM for any signs of tampering.
  • See if there is anything flimsy over  the receptacle.
  • Cover the keypad with your hands as you type in the password.
  • Do not accept help from anyone while conducting a transaction.
  • Be wary of anyone attempting to glance at the keypad while you type in the PIN.
  • Keep an eye on your bill statements to check for any missing funds.

Of course, such attacks are not limited to ATMs. They are also used in POS or Point of Sale devices. The information gathered from all such devices are either stored on onboard memory or sent via wireless connection to nearby receivers. There are even cases of  waiters being paid by criminal organisations to steal credit card data from the diners. So what about these electronic chip ATM cards that are supposed to be pretty secure. The electronic chip itself is very secure. Data can’t be read off it easily. But most cards with chips also have a magnetic strip that is there for backward compatibility. The only thing a skimmer has to do is obtain the track data from the magnetic card, copy it to a similar card and break the chip in the card. When the system can’t process the chip, it will automatically revert to the stripe information. Also there are only a few banks that give out cards containing electronic chips.

There have also been widely publicized reports of merchants storing track data along with PINs that allowed criminals to break into the computers and steal enough information to clone their customers ATM/Debit Cards.
These carders use this stolen track data plus PIN numbers to clear out your bank account or in some cases sell them to the highest bidder. There are various forums and chat rooms dedicated to this form of activity. It is indeed a very lucrative field for criminals.
There have also been reports of ATM cards being trapped inside the machine by another class of malicious devices called trappers. These will trap the ATM card inside the machine, allowing people to steal the card physically. Here’s a picture of trapping device:
Trapper
Removed trapper
Coming to the other side, there are various ways crooks can outright rob an ATM. Most are attacks showcased at DEFCON or BlackHat which are security conferences for hackers. The most alarming one would most probably be the one by Barnaby Jack. He demonstrated a way to make an ATM literally spit out money using a key and a USB! He also discovered that he could find the ATMs that were connected to the Internet, hack them using a tool he wrote (“Dillinger”) and make it issue money endlessly. Brian Krebs reported about a person arrested for successfully hacking into an ATM machine using nothing more than a USB keyboard connected to the port uncovered by removing a camera.
There is also another unconventional attack on ATMs. In a Defcon presentation by Andrea Barisani, it was shown that it is possible to capture keyboard input by plugging specialized instruments in to a power plug in the same building. He pointed out that the PIN pads used in most ATMs are actually just keyboards and so can be monitored in this fashion.
It is also becoming quite common to see projects on freelancer.com asking for custom made banking trojans designed to work on ATMs.
These incidents demonstrate that ATM skimming, like any other crime, is evolving and if we don’t catch up with it we might soon wake up one day without a single penny to our name.
Here are a few links that might help you be prepared against such high tech crimes:
  • www.krebsonsecurity.com (Might be down currently. Due to the nature of his work Kreb’s website is constantly under attack by carders).
  • http://usa.visa.com/personal/security/learn-the-facts/protection-tips/atms-and-retail-store-protection.html
  • http://www.visa.co.in/personal/atm/security.shtml
  • http://www.mastercard.us/atm-safety-tips.html


Yashin Mehaboobe
Security Researcher
CSPF