Roy Firestein

Security Feeds

Archive for January, 2010

Israeli Robots Remake Battlefield

January 12th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Sixty years of near-constant war, a low tolerance for enduring casualties in conflict, and its high-tech industry have made Israel one of the world’s leading innovators of military robotics. Israel is developing an army of robotic fighting machines that offers a window onto the potential future of warfare.

OISF Releases Suricata Engine!

January 4th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Full Announcement here: 
http://www.openinfosecfoundation.org/
NOTE: OISF has been Slashdotted, may be slow to respond. You may have been redirected here to handle the load. Please try OISF again in a few hours!
It’s been about three years in the making, but the day has finally come! We have the first release of the Suricata Engine! The engine is an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field.
The Suricata Engine and the HTP Library are available to use under the GPLv2. 
The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.  
This is considered a Beta Release as we are seeking feedback from the community. This release has many of the major new features we wanted to add to the industry, but certainly not all. We intend to get this base engine out and stable, and then continue to add new features. We expect several new releases in the month of January culminating in a production quality release shortly thereafter.
The engine and the HTP Library are available here: 
http://www.openinfosecfoundation.org/index.php/download-suricata
Please join the oisf-users mailing list to discuss and share feedback. The developers will be there ready to help you test.
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
As this is a first release we don’t really have a “what’s New” section because everything is new. But we do have a number of new ideas and new concepts to Intrusion Detection to note. Some of those are listed below:
 
Multi-Threading
Amazing that multi-threading is new to IDS, but it is, and we’ve got it!
 
Automatic Protocol Detection
The engine not only has keywords for IP, TCP, UDP and ICMP, but also has HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match within an HTTP stream for example regardless of the port the stream occurs on. This is going to revolutionize malware detection and control. Detections for more layer 7 protocols are on the way.
 
Gzip Decompression
The HTP Parser will decode Gzip compressed streams, allowing much more detailed matching within the engine.
 
Independent HTP Library
The HTP Parser will be of great use to many other applications such as proxies, filters, etc. The parser is available as a library also under GPLv2 for easy integration ito other tools. 
 
Standard Input Methods
You can use NFQueue, IPFRing, and the standard LibPcap to capture traffic. IPFW support coming shortly.
 
Unified2 Output
You can use your standard output tools and methods with the new engine, 100% compatible! 
 
Flow Variables
It’s possible to capture information out of a stream and save that in a variable which can then be matched again later. 
 
Fast IP Matching
The engine will automatically take rules that are IP matches only (such as the RBN and compromised IP lists at Emerging Threats) and put them into a special fast matching preprocessor. 
 
HTTP Log Module 
All HTTP requests can be automatically output into an apache-style log format file. Very useful for monitoring and logging activity completely independent of rulesets and matching. Should you need to do so you could use the engine only as an HTTP logging sniffer.
 

Coming Very Soon: (Within a few weeks)

Global Flow Variables
The ability to store more information from a stream or match (actual data, not just setting a bit), and storing that information for a period of time. This will make comparing values across many streams and time possible.
 
Graphics Card Acceleration
Using CUDA and OpenCL we will be able to make use of the massive processing power of even old graphics cards to accelerate your IDS. Offloading the very computationally intensive functions of the sensor will greatly enhance performance. 
 
IP Reputation
Hard to summarize in a sentence, but Reputation will allow sensors and organizations to share intelligence and eliminate many false positives.
 
Windows Binaries
As soon as we have a reasonably stable body of code. 
 
The list could go on and on. Please take a few minutes to download the engine and try it out and let us know what you think. We’re not comfortable calling it production ready at the moment until we get your feedback, and we have a few features to complete. We really need your feedback and input. We intend to put out a series of small releases in the two to three weeks to come, and then a production ready major release shortly thereafter. Phase two of our development plan will then begin where we go after some major new features such as IP Reputation shortly.
http://www.openinfosecfoundation.org

UPDATE: Xplico 0.5.4!

January 4th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Xplico is just amazing! We wrote about it in our blog post. Some days ago, Xplico version 0.5.4 was released.

The goal of Xplico is extract from an internet traffic capture the applications data contained.
For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).
Xplico is released under the GNU General Public License.

href=”http://www.burstnet.com/ads/ad20486a-map.cgi/ns/v=2.3S/sz=468x60B/”
target="_top">

src="http://www.burstnet.com/cgi-bin/ads/ad20486a.cgi/ns/v=2.3S/sz=468x60B/"
border="0" alt="Click Here" title="UPDATE: Xplico 0.5.3" />

There are many major updates. The updates include:

  • Facebook web chat dissector
  • New XI based on CakePHP 1.2.5
  • New representation of images
  • For each image you can see (with the proxy enabled) the page where the image is contained
  • WLAN and LLC basic dissectors
  • HTTP dissector Improvements

Download Xplico version 0.5.4 here.

Related Posts

Relay attack featured on Dutch TV

January 4th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Yesterday, the Dutch TV programme “Goudzoekers” featured Saar Drimer and me demonstrating a relay attack against the recently introduced Chip and PIN system in The Netherlands. The video can be found online, in both Windows Media or Silverlight formats as well as Flash below. The production team have published a synopsis (translated version) on their blog, and today there have been some follow-ups in the press, for example De Telegraaf (translated version).

The Dutch card we used in the demonstration had a number of extra security features, compared to UK cards:

  • Dynamic data authentication (DDA): Static data authentication (SDA) cards common in the UK, can have their chip cloned and used in offline transactions. DDA resists this vulnerability, at the cost of making cards slightly more expensive.
  • Encrypted PIN: With UK cards, the PIN entered by the customer is unencrypted as it is sent to the card, leaving it open to being eavesdropped by a tampered terminal. The encrypted PIN feature prevents some types of terminal tampering attacks.
  • iCVV: Until recently, UK cards contained a full copy of the magnetic strip on the chip, which meant that someone eavesdropping on communications could create a cloned magnetic strip card. The Dutch card contained some of the magnetic strip details on the chip, but not all of it (a feature known as iCVV).

However, despite these enhancements the relay attack still works, just as it did in our previous demonstration for BBC Watchdog in 2007. This demonstrates that one of the common misconceptions about the relay attack — that DDA cards will prevent it — is not true. The only feasible defence is distance bounding, which we described in our academic paper, but which no smart cards currently support. The relay attack also does not depend on magnetic strip transactions still being supported, nor does encrypted PIN prevent the attack.

For these reasons we were fairly confident that we could perform the demonstration, and left for The Netherlands last week with our equipment in tow. However, things did not go as smoothly as we hoped because the terminal behaved slightly differently to the UK ones we experimented with, and some of our hardware also developed problems during the testing process. The hardest to fix was that the terminal was very sensitive to latency introduced by interference on the wireless link. We couldn’t get our demonstration working by the end of the first day, but thought we could resolve the problem in software, and the production team decided to go ahead with the filming as planned the following day, and hope that our fix worked.

One change we were considering making was to allow the “criminal” using the fake card to enter in the wrong PIN. This would avoid the inconvenience of having to send the PIN entered by the “victim” to the earpiece. It is possible to do this because the genuine terminal sends the PIN to the card, not to the bank, so the fake terminal can just substitute in the correct PIN as entered by the victim. We implemented this, but only for unencrypted PIN, because we didn’t realise encrypted PIN was in use (the UK is still considering it). Implementing it for encrypted PIN is more complicated, because it requires replacing the incorrect PIN with the correct one encrypted to the card’s public key which we capture (along with the random challenge) during the beginning of the transaction.

In the end we decided not to do this, because the other problems had meant we spent the whole day trying to debug the problems we encountered, and had to spend the evening designing the work-around for the timing issue. Having been awake since 5am, by the time we were finished the the fixes, we didn’t feel confident enough to correctly deal with the subtleties of proprietary RSA padding modes necessary to perform encrypted PIN. We were also conscious of the fact that if we got it wrong three times in a row, we’d lock the only card we had available for testing.

Fortunately, the work-around for the timing issue fixed the problem, so we could go along with the filming, but we still had to send the PIN via the earpiece. This might have been one of the reasons that the Dutch Banking Association (NVB) said the attack was “complex and cumbersome”, in their press release (translated version). It should be noted however that criminals who aren’t working on such a tight schedule could take the time to implement the PIN-substitution feature for Dutch cards too, making the attack more feasible.

Update: (2009-12-19): Jeremy Kirk from IDG News Service has published an article “Upgraded Dutch Payment Card Still Vulnerable to Relay Attack” related to our demonstration.

The Known Universe

January 4th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

The Known Universe zooms out from Tibet to the limits of the observable universe. Dim the lights, full-screen it in HD, and you’re in for a treat.

Like Powers of Ten, except astronomically accurate. It’s not a dramatization, it’s a map; the positioning data was pulled from Hayden Planetarium’s Digital Universe Atlas, which is available for free download.

Since 1998, the American Museum of Natural History and the Hayden Planetarium have engaged in the three-dimensional mapping of the Universe. This cosmic cartography brings a new perspective to our place in the Universe and will redefine your sense of home. The Digital Universe Atlas is distributed to you via packages that contain our data products, like the Milky Way Atlas and the Extragalactic Atlas, and requires free software allowing you to explore the atlas by flying through it on your computer.

Tags: long zoom   maps   space   video

Gravity Wells

January 4th, 2010. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
This doesn't take into account the energy imparted by orbital motion (or gravity assists or the Oberth effect), all of which can make it easier to reach outer planets.