Midnight Research Labs

Lots of new conference videos online
sth posted in Uncategorized on January 20th, 2009
comments:0

Here are a few sets of conference videos that are now online:

– Hack in the box - Malaysia videos. Day1 — Day 2. Even though it’s a pirate bay link, the videos were linked from the main HITB page, so I’m assuming it’s legit, :).

– Microsoft’s BlueHat 8 videos. Day 1 — Day 2.

– Dojosec videos.

– (edited to add) 25C3 videos are also now online. Awesome.

Happy torrenting.

Kenshoto stepping down?
sth posted in Uncategorized on January 16th, 2009
comments:0

It looks like kenshoto is stepping down as the organizer for one of the largest hacking competitions in the world. An announcement has been made on the defcon forums for new organizers.

From the announcement:

WANTED:
An evil large multinational corporation, or…
An nefarious group of genius autonomous hackers, or…
A shadowy government organization from somewhere in the world
TO:
Host, recreate, and innovate the worlds most (in)famous hacking contest.

Kenshoto has always done an amazing job at both the pre-qualification rounds as well as the main competition. They really stepped up the game as more of an art than just a competition. Their efforts will be missed as we look forward to who will carry the torch next.

Wepawet: analyzing web-based malware
sth posted in Uncategorized on January 15th, 2009
comments:0

This is a pretty cool looking website/service from the Computer Security Group at UC Santa Barbara that will analyze flash and javascript for malicious content. It will actually de-obfuscate javascript and pull out the active exploits that it uses. I’m guessing that it’s also doing some dynamic analysis because it is able to see the exact request/responses that it’s making. Here is a sample report that shows multiple exploit attempts and the actual malware. The website says that it’s currently in alpha and it will have the ability to submit URLs (instead of javascript/flash files) soon.

Via www.offensivecomputing.net

0day in WowWee Rovio Robot
sth posted in Uncategorized on January 14th, 2009
comments:1

You can’t use it in your plot to take over the world with remote control robots yet, but there’s a new 0day in the WowWee Rovio that will allow remote snooping of the audio/video data that comes from the robot. Other things you can do remotely are get configuration data, update the firmware, and send things to the speaker. It looks like the Rovio is a fancy robotic pseudo-telepresence toy for your dog.

From the advisory text:

Unfortunately, Rovio’s access control mechanisms (username/password) are not
completely utilized across the platform even when enabled. Certain URLs and
RTSP Streaming capabilities of the device are accessible with no
authentication. Furthermore, deployment of the device in the default
configuration attempts to use UPnP to automatically configure your firewall to
allow external access to the mobile webcam platform.

Fun stuff.

Happy 2008^H9!
sth posted in Uncategorized on January 14th, 2009
comments:0

I don’t want to bore anyone with arbitrary end of year statements/predictions, but I did want to acknowledge the milestone. 2008 was a pretty good year, and we’ve managed to get back into an regular schedule again with meetings twice a month. We’re looking forward to an exciting 2009, and have a couple new projects that we’re working on that we can hopefully start posting about soon. More fun stuff on the horizon.

BotHunter LiveCD and new releases
sth posted in Uncategorized on November 12th, 2008
comments:0

It looks like BotHunter has been busy since the last time I was looking at them. They have a new Live CD to test out the software, and some new releases with some new features (including a GUI) that are worth checking out. Here’s the blurb on what bothunter does:

BotHunter is a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter. Using an advanced infection-dialog-based event correlation engine (patent pending), BotHunter represents the most in-depth network-based malware infection diagnosis system available today.

Last time I tried them out, the installation was a bit clunky, but overall it was a very valuable tool. Having the correlation between the different major points in the bot life cycle really helps with a much more accurate detection. In tests it was doing a way better job at reducing false positives to come up with some usable results than a traditional IDS.

If you’re interested in the subject, this is a good white paper on their design, how they do the correlation between different points in the life cycle, and some of the anomaly detection features they’ve added among other things. I thought it was well worth the read.

Helix v2.0 released
sth posted in Uncategorized on September 30th, 2008
comments:5

Helix is the definitive computer forensics, incident response live CD distribution, and it has recently released version 2.0. Here is the listed of updated features. Among lots of new tools and tool upgrades, one big change is that it is now based on Ubuntu rather than Knoppix. Some other cool new tools that have been added to Helix are winlockpwn which bypasses windows authentication via firewire, Volitility for parsing processes, network information and many other things out of raw memory, and something else cool from metlstorm, bioskbsnarf, which parses the realmode keyboard buffer out of the bios data area. It looks like a couple of the newer memory dumping utilities for windows have also been added to the windows live portion of the distro.

The only bad thing that I’ve noticed is that the static binaries (important for incident response) are no longer distributed directly on the CD, but at least they are still available for download. Maybe they (or someone else) will put together a DVD that includes these.

I was told a while before the release came out that it was no longer going to be free, so
I’m pretty glad to see this release is public and still free. That being said, it’s a worthwhile project to contribute to, so I’d suggest buying a pressed CD to help them out. If not — happy downloading, .

PS — And yes, it is v2.0 that has been released despite them calling the distribution “Helix 3″ for some slightly confusing reason.

Toorcon (en route)
sth posted in Uncategorized on September 26th, 2008
comments:0

I’m at the airport at a very unearthly hour, but the bright side is that I’m headed to Toorcon. If you’re around at Toorcon, I’ll be the one in a black t-shirt, . I’m looking forward to hanging out with some people that I haven’t seen since the last conference. See you there…

XSRF and Identity Misbinding Attacks
sth posted in Uncategorized on September 25th, 2008
comments:0

I thought this was kind of a clever chain of attack vectors. I think it illustrates well how you can take multiple smaller security problems, and use the series to exploit something greater (in this case youtube accounts).

In the post Jeremiah links to a good paper that has some other interesting attack vectors. The paper starts with basic XSRF and current remediation strategies, but then goes into some new attacks that cause a victim user to log into a site with the attackers credentials. They outline a couple of scenarios where this could allow them to gather credit cards through PayPal, or credentials for iGoogle. They also poke holes in some of the current remediation strategies and even some of the tools that implement them. Defense against this kind of login XSRF is difficult because it requires maintaining some type of pre-session session/token, so they also have some recommendations for adding a new standard Origin HTTP header which has a number of advantages. It’s good reading, you should go read it if you’re at all interested in web security.

(In)secure Magazine Issue 18
sth posted in Uncategorized on September 24th, 2008
comments:0

There’s a new issue of (In)secure Magazine out and available for download. It looks like it has a few interesting articles in it on different security tools, PCI (WAF vs. code review) and secure web programming. They usually have some interesting content to flip through, and it’s nice to have it as download-able content.