Month: May 2012

Texans Practice Shooting Down Drones

Saw this video today and thought I would pass it on. Many Americans are up in arms about the news of police and government agencies using Drones to patrol US skies. Some are actually using arms to practice shooting them down!

Drone technology has been a game changer in Iraq and Afghanistan, but why use it in the friendly skies of the US? Big brother rumors abound, but there may be more to it. There have been over 40 reported attempted terrorist attacks on the US since 9/11. The real number may be much higher.

I was talking to a SWAT officer a few months ago and mentioned the 40+ stopped terrorist attacks. He just looked at me and said that border patrol guys say the number is much higher, but a lot of things they run into are not publicly reported.

Most likely the choice to use drone technology in the US is to detect and deter militant attacks. But of course the political correctness of America would inhibit politicians from coming out and publicly saying that. So, you get the Big Brother conspiracies and apparently, concerned US citizens that are practicing shooting these devices down.

Hopefully political correctness can be overcome and constitutional rights straightened out in this matter.

Mimikatz creator to Speak at PH Days Conference

The Positive Hack Days security conference will be going on in Moscow, Russia May 30-31. Pretty interesting looking international security conference, and this year the keynote speaker will be the ever popular Bruce Schneier.

PH Days will be full of activities, including presentations, labs and contests. The show also boasts a pretty impressive line up of both Russian and international security speakers talking on a wide array of current topics. One being our personal favorite, French security expert, Benjamin Delpy aka ‘gentilkiwi‘.

Benjamin is the creator of “Mimikatz“, the amazing software program that among other things, allows you to pull passwords in clear text from Windows based systems. According to PHD’s conference speaker list, his talk on Mimikatz will cover some new information that you will not want to miss. Especially if you are a Windows user. Trust me…

Benjamin is a great guy. So if you are planning on going, definitely check out his talk and say “Hi” to him afterwards.  🙂

Move over Stuxnet, Say Hello to the new Cyberweapon: “Flame”


(Screenshot of Iran CERT warning for “Flame” Malware)

Yesterday Iran’s Computer Emergency Response Team released a warning about a new modular malware that resembled Stuxnet and Duqu. Dubbed “Flame”, the new cyberweapon is causing quite a stir in the media with it’s “advanced features and complexity”.

But looking at the malware’s features disclosed by Iran’s CERT team, it doesn’t seem very game stopping:

  • Distribution via removable medias
  • Distribution through local networks
  • Network sniffing, detecting network resources and collecting lists of vulnerable passwords
  • Scanning the disk of infected system looking for specific extensions and contents
  • Creating series of user’s screen captures when some specific processes or windows are active
  • Using the infected system’s attached microphone to record the environment sounds
  • Transferring saved data to control servers
  • Using more than 10 domains as C&C servers
  • Establishment of secure connection with C&C servers through SSH and HTTPS protocols
  • Bypassing tens of known antiviruses, anti malware and other security software
  • Capable of infecting Windows Xp, Vista and 7 operating systems
  • Infecting large scale local networks

All of these “threats” have been seen before. I especially liked the “bypassing tens of known anti-viruses…” line.

But there are several features that do set “Flame” apart from the pack. First of all the malware is very large, a whopping 20MB. Also, it contains several files and seems to be able to attack using swappable modules. But there is more.

According to an article on The Register, Flame has the following features:

  • It has been active for at least 2 years, but possibly 5-8 years
  • Contains exploits for known and fixed vulnerabilities
  • Uses open source libraries
  • Uses a SQLlite database
  • Uses some Scripts written in Lua (of Angry Birds fame)

All the big name security companies that have analyzed it seem to agree that with it’s complexity, it was most likely written by a Nation State and not individuals or small groups.

The malware could have been created by Israel (and possibly the US) as many of the countries that have detected infection would be logical targets for them.

As according to Symantec:

Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear.”

I am not sure of it’s “CyberWeapon” title, as it seems to be an information gatherer. Definitely worth keeping an eye on, but as with “APT” and “Stuxnet”, I am sure the media will beat this topic to death.

Hakin9 Exploiting Software, May Issue – Buffer Overflow

Hakin9 IT Security Magazine has just released it’s May issue of Exploiting Software “Buffer Overflow“.

This month’s magazine features the article “Recovering Passwords and Encrypted Data Remotely in Plain Text” written by yours truly. In this article, I talk about recovering remote Windows passwords in plain text using both Mimikatz and WCE.

I also talk about the dangers that online attacks can present to file encryption. I show how a Java based online attack can easily bypass and recover encrypted files without encryption. Even thought a file was protected by whole disk encryption and the file itself was encrypted by a separate program, I was easily able to remotely read and download the file with no problems.

Craig Wright also continues his excellent series with an article on Extending Control, API Hooking. API hooking the malicious code is used to vary the library function calls and returns by replacing the valid function calls with one of the attackers choosing. The article follows from previous articles as well as goes into some of the fundamentals that you will need in order to understand the shellcode creation process, how to use Python as a launch platform for your shellcode and that the various system components are.

This article includes a section on functions and calls, extending DLL injection and then move to the actual API hooking process (that we will extend) in coming articles. With these skills you will have the foundations for creating shellcode for exploits and hence an understanding of the process that penetration testers and hackers use in exploiting systems. You will see how it is possible to either create your own exploit code from scratch or even to modify existing exploit code to either add functionality or in order to bypass signature based IDS/IPS filters

Also in this issue:

  • The Basics Of Buffer Overflow, Fuzzing and Exploitation By Richer Dinelle
  • Exploit a Software with Buffer Overflow Vulnerability and Bypassing ASLR Protection By Ahmed Sherif El-Demrdash
  • Danger of Man in the Middle Attacks to Modern Life By Wong Chon Kit
  • E-mail Spam Filtering and Natural Language Processing By Yufan Guo
  • Security Communication and Why You Should Trundle By Dean Bushmiller
  • Overriding Function Calls in Linux By Umair Manzoor

Check it out!