Archive for November, 2009
Quickpost: SelectMyParent or Playing With the Windows Process Tree
November 27th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
I read something very interesting in “Windows via C/C++” today: starting with Windows Vista, CreateProcess can start a program where you specify the parent process! This is something forensic investigators must be aware of when they analyse processes running on a Windows machine.
Normally the parent process of a new process is the process that created the new process (via CreateProcess). But when using STARTUPINFOEX with the right LPPROC_THREAD_ATTRIBUTE_LIST to create a process, you can arbitrarely specify the parent process, provided you have the rights (i.e. it’s your process or you have debug rights).
I developed a small tool to start a program while specifying its parent process: SelectMyParent. Here I use it to start notepad as a child of lsass.exe:
2 remarks about this example:
- to make lsass.exe a parent process, you need to use SelectMyParent with admin rights and elevate its rights (Run as administrator)
- the notepad process takes over the parent process’ account: NT AUTHORITY\SYSTEM
I don’t know how one can detect that a process’ parent is not the process that created it, because a process has no access to its extended startup info (only to its startup info). And it is the extended startup info that contains the attribute list with the handle to the parent process.
SelectMyParent version 0.0.0.1 is available here.
Quickpost info
Explo.it – The Day After
November 19th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
The Exploit Database is up and running…survived day 1 . On a last moment fluke, we registered the domain explo.it, which is now also up and running.
We’ve improved the search functions on the site, and imported the “papers” and “shellcode” sections from Milw0rm. We’ve been getting our fist submissions and are processing them almost in [...]
Explo.it – The Day After
November 19th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
The Exploit Database is up and running…survived day 1 . On a last moment fluke, we registered the domain explo.it, which is now also up and running.
We’ve improved the search functions on the site, and imported the “papers” and “shellcode” sections from Milw0rm. We’ve been getting our fist submissions and are processing them almost in [...]
20 Linux Server Hardening Security Tips
November 4th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for security Linux box. In this first part of a Linux server security series, I will provide 20 hardening tips for default installation of Linux system.
Read more: 20 Linux Server Hardening Security Tips
Copyright © nixCraft. All Rights Reserved.
TV coverage of online banking card-reader vulnerabilities
November 4th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
This evening (Monday 26th October 2009, at 19:30 UTC), BBC Inside Out will show Saar Drimer and I demonstrating how the use of smart card readers, being issued in the UK to authenticate online banking transactions, can be circumvented. The programme will be broadcast on BBC One, but only in the East of England and Cambridgeshire, however it should also be available on iPlayer.
In this programme, we demonstrate how a tampered Chip & PIN terminal could collect an authentication code for Barclays online banking, while a customer thinks they are buying a sandwich. The criminal could then, at their leisure, use this code and the customer’s membership number to fraudulently transfer up to £10,000.
Similar attacks are possible against all other banks which use the card readers (known as CAP devices) for online banking. We think that this type of scenario is particularly practical in targeted attacks, and circumvents any anti-malware protection, but criminals have already been seen using banking trojans to attack CAP on a wide scale.
Further information can be found on the BBC online feature, and our research summary. We have also published an academic paper on the topic, which was presented at Financial Cryptography 2009.
Update (2009-10-27): The full programme is now on BBC iPlayer for the next 6 days, and the segment can also be found on YouTube.
Security psychology
November 4th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
I have put together a web page on psychology and security. There is a fascinating interplay between these two subjects, and their intersection is now emerging as a new research discipline, encompassing deception, risk perception, security usability and a number of other important topics. I hope that the new web page will be as useful in spreading the word as my security economics page has been in that field.