hakin9_en_05_2014 (1)

cigitalSecureAssist

Find and Fix Security Defects During Development

Plug-in for Eclipse and Visual Studio identifies common security vulnerabilities and provides remediation guidance

ContextualGuidance and examples specific to the language

Customizeable Incorporate organizational standards into guidance

Expert validatedBased on Cigitals experience in thousands of code reviews

Actionable Code examples explain the right way and place to fix defects

Free 30-day trial: www.cigital.com/hakin9

Securing Assets Across Europe

14th & 15th October 2014MCE, Brussels, Belgiumwww.isse.eu.comISSE

2014

Europes leading independent, interdisciplinary security conference and exhibition Over the past decade, Information Security Solutions Europe (ISSE) has built an unrivalled reputation for its world-class, interdisciplinary approach and independent perspective on the e-security market.

This year, ISSE will take place on 14th & 15th October in Brussels. Regularly attracting over 300 professionals including government, commercial end-users and industry experts who will come together for a unique all-encompassing opportunity to learn, share and discuss the latest developments in e-security and identity management.

Programme Topic Areas Trust Services, eID and Cloud Security European trust services and eIdentity regulation, governance rules, standardization, interoperability of services and applications, architectures in the cloud, governance, risks, migration issues

BYOD and Mobile Security Processes and technologies for managing BYOD programs, smartphone/tablet security, mobile malware, application threats

Cybersecurity, Cybercrime, Critical Infrastructures Attacks & countermeasures against industrial Infrastructures; CERT/CSIRT European & global developments, resilience of networks & services, surveillance techniques & analytics

Security Management, CISO Inside CISOs featuring the latest trends and issues in information security, risk mitigation, compliance & governance; policy, planning and emerging areas of enterprise security architecture

Privacy, Data Protection, Human Factors Issues in big data & cloud, privacy enhancing technologies, insider threats, social networking/engineering and security awareness programs

Regulation & Policies Governmental cybersecurity strategies, authentication, authorization & accounting, governance, risk & compliance

For more information visit www.isse.eu.com

In partnership with

@ISSEConference

4Hybrid AnalysisNextGen Technology for Advanced Malware

Copyright 2014 Hakin9 Media Sp. z o.o. SK

Table of ContentsBeyond SIEM Go for the Real Thingby Juergen Kolb

Encrypting Email Communications Using GpG4win A Beginners Guide (Part 1)by Nihad Hassan

Hackers Targets Industries and Infrastructures Cyber Terror for Mega Industriesby Sathram Shivakumar

Hybrid Analysis NextGen Technology for Advanced Malwareby Jan Miller

IPv6 The Future of Data Protectionby Nevalennyy Alexander CISO

Running Kali on a Raspberry Pi in Headless Modeby Dr. Hani Ragab

Terminal Infrastructure. Back to the Past or Prospects for the Futureby Nevalennyy Alexander CISO

Book Review: Hacking with Kaliby Steven Wierckx

Review: Dr. Web Anti-virusby Amit Chugh

071027304144525659

Hybrid Analysis. NextGen Technology for Advanced Malware

5

Dear Readers,

Just short summing up as it is summer time, and all of us need to have time for some fun.

In the July issue of Hakin9 Magazine, you have a chance to learn about the Hybrid Analysis NextGen Technology for Advanced Malware. What is more, our expert will teach you how to install and use GpG4win encryption software. You will read about this tool, its components and see the brief description about how asymmetric encryption works.

I recommend you read article by Dr Hani Ragab. He created this tutorial because he simply could not find an all-in-one-place tutorial when trying to setup Kali on a Raspberry Pi (RPI). He has read several guides and forums to collect the information compiled for you here. So he would like to start by acknowledging the contributions of all original authors from those sources.

In his tutorial he will show you how to:

Install Kali on a Raspberry Pi.

Connect to Kali and configure SSH.

Setup a VNC server on Kali.

Use a variety of X Desktop environments in the VNC sessions.

Set VNC to run securely (over SSH).

Run VNC by default at system boot.

Finally, you may find of interest IPv6. This article will show the readers not something a deep technical, but a global conception by short thesiss of protection from malefactors.

I would like to express my gratitude to our experts who contributed to this publication and invite others to cooperate with our magazine.

The next issue of Hakin9 Magazine will be published in 4 weeks. The next 3 workshops will be released on August 18th. If you are interested in learning more about future content or, if you would like to get in touch with our team, please feel free to send your messages to [email protected]. I will be more than happy to answer all your questions.

Enjoy reading,

Ewa and Hakin9 Team

Editor in Chief: Ewa [email protected]

Managing Editor: Krzysztof [email protected]

Editorial Advisory Board: David Kosorok, Matias N. Sliafertas, Gyndine, Gilles Lami, Amit Chugh, Sandesh Kumar, Trish Hullings

Special thanks to our Beta testers and Proofreaders who helped us with this issue. Our magazine would not exist without your assistance and expertise.

Publisher: Pawe Marciniak

CEO: Ewa [email protected]

Marketing Director: Krzysztof [email protected]

Art. Director: Ireneusz [email protected]: Ireneusz Pogroszewski

Publisher: Hakin9 Media sp. z o.o. SK02-676 Warszawa, ul. Postpu 17DNIP 95123253396www.hakin9.org/en

Whilst every effort has been made to ensure the highest quality of the magazine, the editors make no warranty, expressed or implied, concerning the results of the contents usage. All trademarks presented in the magazine were used for informative purposes only.

All rights to trademarks presented in the magazine are reserved by the companies which own them.

DISCLAIMER!The techniques described in our magazine may be used in private, local networks only. The editors hold no responsibility for the misuse of the techniques presented or any data loss.

www.uat.edu > 877.UAT.GEEK

[ ITS IN YOUR DNA ]

[ GEEKED AT BIRTH ]

You can talk the talk.Can you walk the walk?

LEARN:Advancing Computer ScienceArti cial Life ProgrammingDigital Media Digital Video Enterprise Software DevelopmentGame Art and Animation Game DesignGame Programming Human-Computer Interaction Network Engineering Network SecurityOpen Source Technologies Robotics and Embedded Systems Serious Game and SimulationStrategic Technology Development Technology Forensics Technology Product DesignTechnology StudiesVirtual Modeling and DesignWeb and Social Media Technologies

Please see www.uat.edu/fastfacts for the latest information about degree program performance, placement and costs.


7

Beyond SIEM Go for the Real Thingby Juergen Kolb

Its been always suspicious for a long time ago that dubious emails, website visits and other hints caused a feeling of being eyed by the opposition in the Far East. The affected medium-sized corporations with the world-leading technology in the aviation industry decided to act and to provide clarity. Experts were commissioned, who determined the existence of Trojans in the system with the help of the latest sandbox-technology tools. With great expenses, the tracks were properly traced. However, they were already blurred in the following days and lost on the Korean peninsula. The spy software was apparently produced individually and had been smuggled via email into the company systems many months ago. The consequential loss of corporate espionage will be shown in its full extent in the next few years.

And the realistic scenario shows that, the real problem today cannot be located any longer by the conventional firewalls including additional modules as well as with the best anti-virus programs. The dangers posed by the internet and threatening both from the inside and from the outside are too diverse, so that a previously adequate basic protection does not meet the present requirements any longer.

The next step undoubtedly is to design and implement more intelligent systems, that will be able to detect the individual attacks. This includes high-caliber firewall systems, using modern sandbox technologies, which means that the software is executed within a specific runtime environment and been isolated from other system resources. On the other hand, the Honey Pot based approach can be employed. This approach does not wait for attacks to happen or only starts running & hunting subsequently, but attracts the enemy attacks directly and then takes them by surprise. In addition, an alert is triggered as soon as suspicious activities (Trojans, Viruses, BotNets) are deployed in the system, where there only should be dead silence.

Servers and systems located in branch offices or production sites in e.g. Asia or other countries should be protected by a comprehensive Security Information and Event Management (SIEM) and log management solution integrating a Honey-Pot-Agent, which should be able to especially protect isolated foreign sales laptops.

SIEM: Headquarter of SecurityTalking about log management among companies is as popular as a child disease and does not contribute any value on its own. But however there are two reasons to invest time and effort which are crucial from experience:

Compliance requirements, which often require swift action because the auditor does not close his eyes any longer, or because the supplier or customer requires strict adherence of regulations or legal requirements to force it.

In the second case, velocity is also required because current security incidents demonstrate that previous security measures failed to fully protect from violations or illegal conduct, or if damage has already occurred. It is particularly unpleasant when authorities are investigating and no logs are available or IT forensics discovers insufficiently archived log files.

This shows that the introduction of SIEM systems usually has to be done quickly, the training should be made easy and it is increasingly requested by customers to outsource monitoring activities to IT service providers. Often, it is more efficient to outsource these up-to-the-second activities, especially if the human resource capacity of a control centre including standby teams is not available. As you can see, a proactive SIEM solution with subsequent alerting is mandatory in the highly-secured areas of banks, energy suppliers and the public safety.


8

Innovative Approach in the event of an AttackTime is considered to be the essence of detection process, as the data is already being tapped and intruders have been able to spread inside. The Honey-Pot-System requires a type of intelligence and predefined settings that are ideally represented in a SIEM and log management solution. Data and logs are correlated here, and integrated from other sources, such as firewalls. And in order to draw initial conclusions once a secure alert is triggered. As in many areas of daily life, from the Fire Service to the Red Cross, it is important that the responsible people are quickly and reliably informed. Everyday life in the IT shows that network connections break, batteries run out very quickly or errors exist in standby plans. So that, an alarm maintains in the ticketing system or time difference may cause problems.

The Rescue Chain is Scheduled to run SuccessfullyDifferent departments, language difficulties in globally distributed support centers or disagreements within responsibilities always cause misunderstandings while handling alerts or even simple service calls. Imagine a map in a thoughtful alerting system that provides an interface between service and system management, a SIEM solution, the network and data resources monitoring system, is a necessity in large organizations. At least in crisis, control, facility management and other departments, should be coordinated. This need of enterprises and public organizations is growing, because IT provides the possibilities to enable everything by only pressing a button, which also includes the company-wide communication in the event of an attack or in an emergency situation.

Including further Security LayersFor risk-exposed companies and institutions, who do not need to assure themselves only in regard to legal compliance reasons (keyword PCI DSS-Standard), it is now becoming necessary to cover the entire spectrum of IT security. This includes topics such as forensic analysis, comprehensive reporting and special requirements such as Windows File Integrity Monitoring (WFIM), which notes and records the changes to file content and generates alerts. Of course, a host based SIEM solution determines, if the predefined rules are violated, so as in the case if too many failed login attempts are counted on a system. The correlation of many events across the relevant IT infrastructure allows to determine complex, forbidden processes or to suppress them immediately. It becomes safer, if the current external threats from the internet are to be suppressed in the shortest possible time. Hence, additional security layers are needed form cross-vendor analysis options such as the integration of network devices and other monitoring solutions. For internal events, such as the vengeful or greedy ex-employee, a proof without SIEM and log management capacities is hardly possible, because logs are not available from many sources or no search functions can be used.

Correlation in (almost) Real-TimeEstablishing the capacity to act again is only possible, if one has the proper tools to become active even under time pressure. If you want to avoid being infiltrated by a known Virus, Trojan or Bot system, it is now necessary to turn several screws. Even today, aggressive viruses like Stuxnet or Heartbleed bugs are partially open and still cause damage, because an update is not often enough. In order to enforce strict rules and policies, it is often necessary to set complex (if-then) mechanisms manually. However, his is not effectively implemented, without SIEM and log management software. In addition, an interface for vulnerability management is advantageous.

Whether this additional connection is made by a specialized third-party or the same manufacturer is still a standing fundamental question, whose answer differs for every intended use.

About the AuthorJuergen KolbManaging Partner iQSol GmbH

Bolster your career by becoming a SharePoint Master! Learn from SharePoint experts, including dozens of SharePoint MVPs and Certified SharePoint Professionals

Master document management

Study SharePoint governance

Find out about SharePoint 2013

Learn how to create applications for SharePoint that solvereal business problems

Exchange SharePoint tips and tricks with colleagues

Test-drive SharePoint solutions in the Exhibit Hall

If you or your team needs Microsoft SharePointtraining, come to SPTechCon Boston!

The Best SharePoint Training in the World returns to Boston!

Choose from more than 80 classes and tutorials!

September 16-19, 2014The Boston Park Plaza Hotel & Towers

SPTechCon is a trademark of BZ Media LLC. SharePoint is a registered trademark of Microsoft.

www.sptechcon.comRegister Early and SAVE!

I really enjoyed it. I can hardly wait to get back to work andstart using what I learned. I will encourage employees andco-workers to attend future SPTechCons. The conferencehad great speakers with relevant subjects, and the wholething was well organized.

Greg Long, Infrastructure Development Manager, ITG, Inc.

I prefer SPTechCon over Microsofts SharePoint Conferencein Vegas. Im definitely going to tell others to go.

Ray Ranson, Senior Architect, RSUI

I prefer SPTechCon over Microsofts SharePoint Conferencein Vegas. Im definitely going to tell others to go.

Ray Ranson, Senior Architect, RSUI

A BZMedia Event

@SPTechCon


10

Encrypting Email Communications Using GpG4win A Beginners Guide (Part 1)by Nihad Hassan

In this guide, I am going to describe how to install and use GpG4win encryption software. First, we will define this tool, its components and will give a brief description about how the asymmetric encryption works.

GpG4win enables users to securely transport emails and files with the help of encryption and digital signatures. Encryption protects the contents against an unwanted party reading it. Digital signatures make sure that it was not modified and comes from a specific sender. GpG4win supports both relevant cryptography standards, OpenPGP and S/MIME (X.509). And it is the official GNU Privacy Guard (GnuPG) distribution for Windows. GnuPG is free and open source software for both commercial and personal use.

What will you learn in this Tutorial? In this guide, you will learn the following:

Understand the concept of public /private key pair (asymmetric cryptography)

Use GpG4win encryption program to encrypt/ decrypt messages using MS outlook

The Authors NoteA light version of this guide has been previously published on http://www.worldstart.com/e-mail-encryption-101-part-5-decrypt-an-e-mail/ targeted for average computer user. In Hakin9, you will read the complete guide to GpG4Win encryption software Part One.

What should you know before? Understanding of working Windows OS and its main functions

How to configure MS outlook to add new email account

GpG4win ToolsGpG4win installer (version 2) contains the following tools in Table 1:Tool DescriptionGnuPG The heart of GpG4win the actual encryption softwareKleopatra A certificate manager for OpenPGP and X.509 (S/MIME) and common crypto dialogs.GNU Privacy Assistant (GPA) An alternative program for managing certificates, in addition to KleopatraGnuPG for Outlook (GpgOL) A plug-in for Microsoft Outlook 2003/2007/2010/2013 (email encryption)GPG Explorer eXtension (GpgEX) A plug-in for Microsoft Explorer (file encryption)Claws Mail A full e-mail program that offers very good support for GnuPG


11

BUT before we talk about how to use GpG4win, we need first to understand the cryptographic system it uses and how it differs from other methods.

Cryptography SystemsMainly, we have two types of Cryptography systems:

Secret key cryptography (symmetrical encryption),

Public key cryptography (Asymmetrical encryption).

In cryptography, a key is a piece of information used by an algorithm to alter information, making this information scrambled and only visible to people who have the corresponding key to recover the information.

In secret key cryptography, both the sender and receiver must use the same key to encrypt and decrypt the message as in Figure 1 (this is why we call it symmetrical encryption). This imposes a security risk as we need to deliver the key to the recipient of the message in a secure way to make him able to decrypt the message. If an intruder catches the key, he will be able to decrypt the secret message and thus compromise the whole system.

Figure 1. Demonstration of Secret key cryptography system

In Public key cryptography, we use two keys, one for encryption and the second for decryption. We can distribute the public key everywhere without compromising the private key. A user will use his friend public key to encrypt the message; the receiver will use his private key (which should be kept secret) to decrypt this message. Although the keys are different, the two parts of this key pair are mathematically linked. The public key is used to encrypt plain text or to verify a digital signature; whereas the private key is used to decrypt cipher text or to create a digital signature. Messages encrypted with public key can only be decrypted using the same private key pair.

This method is far more secure than the symmetric cryptography, as the sender and receiver can exchange their public keys using any communication method while keeping their private keys secret to decrypt the messages received.


12

Let us demonstrate how public key cryptography works using this simple example Rima wants to communicate secretly with Nihad, so Rima encrypted the message using Nihads public

key (which he made available to everyone through his website OR on his email signature) and she sent the encrypted message to Nihad.

When Nihad received the encrypted message, he used his private key to decrypt the message so he can read it.

If Nihad wants to send an encrypted reply to Rima, he will use her public key to encrypt the message and send it to her.

When Rima receives Nihads reply, she will use her private key to decrypt the message so she can read it.

Figure 2. Demonstration of Asymmetric Cryptography Public & Private Key pair

Digital SignatureAfter we have learnt how public/private key pair works, we need a method to make sure that the person who send us the encrypted message is whom he pretended to be. For example in our last demonstration, we said that if Rima wants to send a secure message to Nihad she should encrypt it using Nihads Public key, and Nihad will use his private key to decrypt the received message.

However, how can Nihad make sure that this message was sent from Rima, what if another person (Jessy for example) sent him the message pretending to be Rima! Here comes digital signature role in authenticating the sender of the message.

Rima can encrypt the message using her Private Key and send it to Nihad, Nihad now has to use Rima Public Key to decrypt the message, and because Rimas private key is secret (and always should be) Nihad knows that this message is originated from Rima and not from anyone else because only Rima knows her Private Key. This is similar to paper letter, a signature on the letter serves as a proof that this message was written by the person who signed it with his signature. Encrypting with a private key thus can be regarded as an equivalent alternative to placing ones signature on the message. This is why it is being called creating a digital signature for the message.


13

In order to send the message secretly after signing it, Rima has to encrypt the message again using Nihads Public key and then send it to him, Nihad now has to decrypt the message using his Private key and then decrypt the result again using Rima Public key so he can read the message and also make sure it is originated from Rima.

GpG4win implements the digital signature concept by using Secure / Multipurpose Internet Mail Extension (S/MIME X509) as in Figure 3, your key must be authenticated by an accredited organization before it can be used. The certificate of this organization in turn was authenticated by a higher-ranking organization and so on. Until we arrive at the so-called root certificate. This hierarchical chain of trust usually has three links:

The root certificate

The certificate of the issuer of the certificate (also the CA for Certificate Authority)

Your own user certificate

A second alternative and non-compatible notarization method is the OpenPGP standard. It does not build a trust hierarchy but rather assembles a Web of trust. The Web of Trust represents the basic structure of the non-hierarchical Internet and its users. For example, if User B trusts User A, then User B could also trusts the public key of User C, whom who does not know, if this key has been authenticated by User A.

Therefore OpenPGP offers the option of exchanging encrypted data and e-mails without authentication by a higher-ranking agency. It is quite sufficient if you trust the e-mail address and associated certificate of the person you are communicating with.

Gpg4win allows for the convenient and parallel use of both methods when signing encrypted message. However, in this part of GpG4win tutorial I am going to describe the OpenGPG method only, X.509 certificate will be discussed in later parts.

Figure 3. Digital Signature Using X.509 Certificate

GpG4win Installation Now, we have a fair amount of information about how public /private key pair cryptography works and its main terminologies, it is the time to install GpG4win and begin sending encrypted messages!


14

First, download Gpg4win windows installer from here http://www.gpg4win.org/download.html, and please note that in the time of writing the software version was gpg4win-2.2.1.exe, the same page holds program documentation.

Then, double click the installer to begin installing the software, the first screen asks you to select your preferred installation language, next screen shows you the version number of the installation, click Next to continue, next screen shows the license agreement for using this software, click Next to continue,

Finally, the next screen shows you the components associated with this software, here you can select which components you want to install as in Figure 4, in my case I will select all components to install, click Next to continue,

Figure 4. Select the GpG4win Components that you want to install

Now, you will be asked by with a window to choose the installation directory, leave the default (C:\Program Files\GNU\GnuPG) and click Next to continue,

Next window offers the choice to add program icons on desktop and quick lunch bar, select your preference and click Next to continue,

After that, you can select where you want the program start menu folder (program shortcuts) to appears, the default is on a new folder called GpG4win, you are almost done now click Install to begin installing the software.

During program installation, a pop up message appears asking you whether you want Claws mail to be your default email program as in Figure 5, in my case I am using MS Outlook as my default email client, so hit No button to continue or yes if you do not have email client already installed and you want to use Claws mail,


15

Figure 5. GpG4win comes with email client, if you have one already installed hit No to prevent making it your default email client

Final window appears after finishing the installation asking you if you want to view the readme.txt file of the program.

Creating GpG4win CertificateNow, we need first to create a certificate for us, this certificate will hold our key pair (private and public keys). This definition applies to both OpenPGP as well as S/MIME (S/MIME certificates correspond with a standard described as X.509).

Hence, open Kleopatra program using either the windows start menu OR program icon on desktop as follow:

Figure 6. Lunch Kleopatra Program to begin creating your certificate

The main Kleopatra Program interface appears, Select File Menu and choose the option New Certificate as follows:

Figure 7. Create New Certificate using Kleopatra


16

A pop up window will appear asking you which type of certificate you want to select; the differences and common features of the two formats have already been discussed before.

In my case, I will select the first option as follow Create a personal OpenPGP key pair as in Figure 8 and hit the Next Button to continue.

Figure 8. Certificate option dialog we will select first option

Next dialog asks you to enter your name, email and comment; all this info will be made visible to the public as follows:

Figure 9. Entering Certificate details comments are optional

Hit the Next button to continue, next screen shows a summary of the entered data, if everything is correct hit the Create Key button.


17

A pop up window appears, asking you to enter a passphrase for securing your key (use strong passwords with both big & small letters and numbers, symbols, at least 8 characters) as in Figure 10:

Figure 10. Enter a strong passphrase to protect your key

If everything is OK, the final window appears stating that Key pair was successfully created as in Figure 11 and you will be presented with your Fingerprint which is a 40 digits number and it is unique all over the world, you do not need to remember or write down the fingerprint, you can also display it later in Kleopatras certificate details.

Figure 11. Summary of newly created certificate

The above window offers additional options. The first option allows you to make a backup of the newly created key and the second allows you to send your certificate by email to someone else using your default email client (with your new public certificate in the attachment) and the last option allows you to upload your certificate to Directory Service so all people can see it and use it to send you encrypted files/emails.

In my case, I will select the first option and make a backup of my newly created certificate and save it on my pc in C:\Program Files/GNU/GnuPG/MyCert.gpg. The file extension of the backup key will be as .asc OR .gpg like so in Figure 12.


18

Figure 12. Create a Backup of your certificate

Important-Note If you saved the file on the hard drive, you should copy the file to another data carrier (USB stick, diskette or CD-ROM) as soon as possible, and delete the original file without a trace, i.e. do not leave it in the Recycle bin! Keep this data carrier and back-up copy in a safe place.

Now, click Finish in the main window to finish the key creation wizard, a new key with the name you specified will appear in Kleopatra main window under My Certificates tab as follows:

Figure 13. My new certificate appears in main Kleoptra program

By double clicks on this certificate, you can view its complete details as follows:


19

Figure 14. View Complete certificate Details

Furthermore, we can change both the passphrase (however, we will be asked to enter the old one) and the expire date of this certificate from within this dialog. In my case, I am making my certificate valid forever.

Send and Receive Encrypted E-mails using GpG4winIn order to send encrypted emails, you need to send your public key to the person that you are going to communicate with, to do this follow these steps:

Open Kleopatra program

Right click on your newly created certificate (in my case, DarknessGate certificate) and click Export Certificates as in Figure 15

Figure 15. Export your public key certificate


20

Give your exported certificate a meaningful name and save it with .asc extension, you can open it using WordPad program as follows:

Figure 16. Viewing Certificate content using WordPad

Now to send your public key certificate, you can open your preferred email client and copy the entire certificate file (which we already opened using WordPad) and paste it inside the email, or you can simply send it as attachment (this is the best method)

BEFORE sending and receiving messages, we need to make sure that we have the public key certificate of the person we are corresponding with and it is already imported inside our Kleopatra program, to do this follow the following steps:

In a previous step, we have described how to export our public key certificate from within Kleopatra to an external file with .asc extension and how to send it to our friend.

In this step, we are going to reverse the operation and receive a public key certificate and import it to our Kleopatra program, so we can use it to encrypt our messages and send it to the person who owns this certificate.

Open Kleopatra program and click on Import Certificates button as follow

Figure 17. Click Import Certificates to import new certificates to Kleopatra Program

Select the certificate/file you want to import (public key certificate) and click Open; if the import was successful, a success window appears telling you this as the following Figure 18:

Figure 18. Success message after importing Adele.asc Certificate


21

Click Ok to exit the window, the newly imported certificate appears in main Kleopatra program under Imported Certificates tap as follows:

Figure 19. The newly imported certificate appears in main Kleopatra program

Decrypting E-mails in Microsoft Outlook Express using the GpG4win Program Component (GpgOL)There is an MS Outlook express plug-in for encrypting and decrypting emails automatically from within the Outlook email client. It supports nearly all available versions of MS outlook express versions (2003, 2007, 2010, 2013), to send encrypted emails using outlook follow these steps:

Compose a new email in Outlook and address it to the person you are writing to (I am using Outlook 2010)

Click on the GpgOL tap in the message bar and click the Encrypt button as follows:

Figure 20. Create new Email using Outlook 2010 and encrypting it using GpG4win Add -in

After clicking the Encrypt button, select certificate dialog appears asking you to choose your encryption certificate and the signing type (OpenPGP OR X.509),


22

Figure 21. Select signing type and Encryption Certificate

I selected to encrypt my email using OpenPGP method. In my case, I am sending the email using my email account which I used to create my certificate ([email protected]) so it appears by default, the receiver public key certificate is also appears (Adele) as I already imported it to my Kleopatra program, click OK to continue, the entire message will be encrypted as follow:

Figure 22. Email encrypted (Scrambled) and ready to send

Then, click the Send Button and YOU ARE DONE!!!

RememberI used the receiver public key certificate to encrypt the message.


23

How to Decrypt an Encrypted Message Sent to you?As we mentioned before, in order for a person to send you an encrypted message, he needs first to have your public key certificate because he will use it to encrypt the message

RememberYou should use your private key certificate to decrypt a message sent to you.

When receiving an encrypted message, follow these steps to decrypt it:

Open the email using MS Outlook

Go to the GpgOL tab in message Ribbon and click the Decrypt button,

Figure 23. Click the Decrypt button in GpgOL tab in Outlook message to decrypt an encrypted email

A new dialog appears asking you to enter your passphrase in order to decrypt the message, enter it and click Ok to see you email after being decrypted as follows:

Figure 24. Enter you passphrase to decrypt the message


24

If everything was Ok and you entered the passphrase correctly, a success message will appears along with your email decrypted as in the following Figures:

Figure 25. Email is decrypted successfully

Making Sure you are talking With the Correct Person!If we are going to communicate with people for the first time and you want to make sure that the public certificate you have, is really belong to them. We can check the finger print of their certificate as follows:

Select the Imported Certificates tab in Kleopatra program and double click on any of the available certificates to view its details as in Figure 26:


25

Figure 26. View the Fingerprint of /Adele/ certificate by double clicking on certificate inside Kleopatra program

Communicate with the owner of this certificate by email, phone or any other secure methods and ask him/her to send you their fingerprint, match their fingerprint with the version you have on your Kleopatra program, if both fingerprint match, this means the certificate is authentic, otherwise it is not

Conclusion In this tutorial, we have demonstrated how to use GpG4win to encrypt and decrypt messages using Outlook 2010 through step-by-step tutorial supported with screenshot of our work.

In the coming part of this tutorial, I am going to describe more rich features of this tool directed for advanced users. So in the mean time, you may begin with encrypting/decrypting messages using this powerful tool to get used on it.

References Crash course on cryptography, Public key cryptography, http://www. iusmentis.com/technology/encryption/crash-

course/publickeycrypto/ PKI (public key infrastructure), http://searchsecurity. techtarget.Com /def inition/PKI Gpg4win Compendium, http://www.gpg4win.org/documentation.html

About the AuthorNihad Hassan is a freelancer computer security & forensic consultant and trainer with more than five years of experience in this domain. He had Bachelor degree in Computer Science and been a Certified XML Master. He has been working into the IT field since 2005 for both private and public sectors. His main interests are developing websites based on .Net technology, database design & implementation, System analysis, in addition to his solid knowledge of XML & related technologies. You can read more of his computer security tutorials at his blog: www.darknessgate.com, And you can make contact with him through: [email protected] | https://twitter.com/darknessgate.

www.ipexpo.co.uk

Co-located atCyber Security EXPO is the new place for everybody wanting to protect their organisation from the increasing commercial threat of cyber attacks. Cyber Security EXPO has been designed to provide CISOs and IT security staff the tools, new thinking and policies to meet the 21st century business cyber security challenge.

Cyber Security EXPO delves into business issues beyond traditional enterprise security products, providing exclusive content on behaviour trends and business continuity. At Cyber Security EXPO, discover how to build trust across the enterprise to securely manage disruptive technologies such as: Cloud, Mobile, Social, Networks, GRC, Analytics, Identity & Access, Data, Encryption and more.

FREE

REGI

STRA

TION

The most comprehensive analysis anywhere of how to protect the modern organisation from cyber threats

Free to attend seminars delivered by Mikko Hypponen, Eugene Kaspersky and many more

Attend the Hack Den a live open source security lab to share ideas with White Hat hackers, security gurus, Cyber Security EXPO speakers and fellow professionals

Network with industry experts and meet with Cyber Security exhibitors

Discover what the IT Security team of the future will look like

for a new era of cyber threatsA NEW event,

Register NOWwww.cybersec-expo.com

Sponsors

www.cybersec-expo.com


27

Hackers Targets Industries and Infrastructures Cyber Terror for Mega Industriesby Sathram Shivakumar

The task of supervision of machinery and industrial processes on a routine basis can be an excruciatingly tiresome job. Always being by the side a machine or being on a 24x7 patrol duty around the assembly line equipment checking the temperature levels, water levels, oil level and performing other checks, would be considered a wastage of the expertise of the technicians on non-effective tasks. But, to get rid of this burdensome task, the engineers devised equipments and sensors that would prevent or at least reduce the frequency of these routine checks. As a result of that, control systems and its various off springs like SCADA systems were formed. Supervisory Control and Data Acquisition (SCADA) offers the ease of monitoring of sensors placed at distances, from one central location.

Hey you, I paid my bills so please patch my electric plant system those are the rights we have to demand in the coming days! The Industrial control systems (ICS) are in a need to be patched not too far our dams may be opened and nuclear plants may be down by a cyber-attack!! Yes, it started around the globe and may never stops. As hinted, SCADA (supervisory control and data acquisition) is used to monitor and control a plant or distributed equipments in industries such as energy, water, power transportation, and many more. I define SCADA is HEART to any ICS. The Syrian cyber group called Syrian Electronic Army (SEA) announced an attack in may 2013 against a strategic Israel infrastructure systems in Haifa which led to reveal that attackers targeted the irrigation control system of kibbutz Saar near Nahariya in 2012 and a an Iranian hacker group parastoo attacked in a military style on California PG&E Metcalf and also the International Atomic Energy Agency (IAEA) in 2012 in addition to the world dangerous terror jihad group named Yaman Mukhaddabs electronic group had already 100 volunteers since started from June 2011.

These events are only few incidents that many terror groups and private security firms will be involved through in coming future and the governments and industry owners have to take SCADA security a serious way since if they do not, owners must convince their wifes. I mean that we all will have a serious threat from other countries and specifically the United States (US) which is a major target for many countries, so SCADA systems must be coded under deep and complex security measures, and antivirus softwares for SCADA are much better than conventional PC softwares which Kaspersky has already started developing them. Most of SCADA systems are using Windows 95 and XP because they made the purchasing 25 years ago and they definitely must be patched.

There are thousands of industries which are primary targets with those configurations and a security researcher from IOActive could compromise an industrial facility which is 40 miles away from 40$ (Dollar) and also a Chinese has gone through US water plants and they are script kiddies who can hack into chemical industry which may cause serious environment damage. SCADA apps are also available for many multi industries. Inductive Automation (IA) was the top firm to start a successful SCADA apps to maintain a perfect security just like our android and IOS apps to protect our phones.

In order to meet the future power systems, we have to deal with the SCADA issues with flexibility and in a secure way that technological and methodological changes must be addressed in global terms. SCADA and ICS software/hardware do not go through the same rigorous security lifecycle process as the Information Technology (IT) systems. These systems lag the IT world typically by 10 to 15 years, so we are only recently seeing the large control systems vendors building plants to test their products for security flaws. Although, these systems till now are not tested for a simple buffer flow breach, there is 753 percent increase in vulnerability disclosures to ICS over the past years. Most of the vulnerability reporters have been from researchers without an ICS background.


28

All in all, I feel that many right now are developing an increasing interest in SCADA systems seeing the correlation between cyber security and kinetic world.

Traditional Problems in SCADA SystemsThe people who run the plants are trying to squeeze the maximum amount of yield from their plants. Shutting down a SCADA system, so that it can be patched and tested may literally cost them millions of dollars per hour. Furthermore, the cost of upgrading is not looked upon kindly unless its going to help you create more of product X at a lower price. You may argue that the greater good is more important than money but those guys will not be listening to that. IT is often outsourced to third parties in order to control costs. The downside of ceding control of your own infrastructure is that even something mundane like changing a firewall rule has a process which costs money and resources. These industries are rife with rules and regulations that further inflate the cost of patching systems. In the pharmaceutical industry, the cost of applying a single patch may run well into millions of dollars because every change has to be meticulously audited. There is an old-school engineering mentality that is pervasive based on the old adage If it is not broken, then dont fix it. No person involved in the industry usually wants to find problems. They want the plant to produce and they expect the hardware and software they buy to produce untouched for 20-30 years. A good start of fixing things would be to air gap the SCADA network from the internet. And if connecting is necessary, then use double good firewalls with hardened Demilitarized Zone (DMZ) machine in between. The DMZ can be locked down hard and updated carefully, and it doesnt need to ever hold systems that need careful certifying as it should never be in the control loop, just out of the main band in the monitoring specialized one.

Faster, but Risky SCADA in CloudIn my view, factories in the future will have full scale wireless networks supporting a robotized production process and safety control mechanisms. Operating personnel in future factories will be confined to only work stations inside control rooms. The tablets and mobile platforms will allow them to track on-site going processes from their devices on the go. The emergence and adoption of Cloud Computing (CC) will enable factories access relevant strategic data from the internet to execute real time decisions and enhance operational efficiency. Cloud Computing will gradually become the major means of data storage and intelligence building and also reduces over capital expenditures. In essence, future factories will have wireless networks supporting a highly automated production process. The global SCADA market will continue to experience high growth among different end-user sectors and geographic regions based on the recent statistics of the global SCADA market that is accounted for $4584.4 million in 2009 and is projected to grow at a Compound Annual Growth Rate (CAGR) of 6.0 percentages from 2009 to 2016. Oil, gas, power, nuclear, waste water and electrical industries were key industrial segments employing SCADA solutions and are likely to offer high growth opportunities in coming years. SCADA cloud will pay high possibility for Cyber-attacks in a wide spectrum but neglecting SCADA safety is neglecting NATIONAL PRIDE.

About the AuthorSathram Shivakumar is of 18 years old with a Asian book of record for longest IT marathon and a team member of Cyber-physical systems virtual organization of medical and transportation devices and has great curiosity in IT security.

NextGen Malware Analysis: Combining Static and Dynamic Analysis

Pure dynamic analysis is not enough anymore these days, as malware evolves and detects sandbox systems. Often, the real payload is not executed and triggered through timebombs or other mechanisms. Combining static with dynamic analysis in a hybrid solution is a next generation approach when it comes to malware analysis. As data load grows, we need performant and intelligent solutions.

Understand Malicious Software using High-Performance Algorithms

Introducing StaticStream StaticStream is a high-performance static analysis engine that is written in C++ and can analyze x86 PE files, memory dumps or shellcode. It uses a novel approach of combining dynamic data with state of the art static analysis techniques in order to detect and understand dormant code. It offers a wide range of configuration options and regular updates.

For more Information visit www.Payload-Security.com

Payload Security - a technology oriented IT-Security startup company located in the heart of Germany.

We develop malware forensic tools and analysis systems.


30

Hybrid Analysis NextGen Technology for Advanced Malwareby Jan Miller ([email protected])

As malware evolves, the era of pure dynamic analysis systems is coming to an end. What potential does Hybrid Analysis have?

The Internet connects a wide range of personal computers for private and business purposes that often run Microsoft Windows OS on x86 compatible architectures with Windows ranging at 90% market share in the desktop segment (NetMarketShare, 2014). These monocultures are an extremely attractive environment for numerous malware attacks. Today, malware often appears in the form of highly complex Trojan systems that come with exploit kits and very sophisticated anti-detection measures. The number of infections and the awareness in the industry is larger than ever. Today, there are about 4 million new infections per month (SecureList, 2014). The worm MyDoom.X alone caused damages of about $38.5 billion and that was in 2006 (Borglund, 2014). Lately, also due to the National Security Agency (NSA) scandal, the awareness for IT security has been growing a lot and IT security is becoming a highly invested market.

Classical malware detection methods were based on pure static code analysis, such as finding a specific byte pattern and matching it against a known database of malicious signatures. Static analysis can be described (in the most general sense) as code analysis without execution of the target payload. In turn, malware authors started releasing packed/encrypted or even polymorphic software that rendered classical methods worthless. Consequently, anti-virus (AV) vendors, CERTs/CIRTs and malware researchers started developing and using dynamic analysis systems. Dynamic analysis can be described (in the most general sense) as code analysis during execution or emulation of the target payload.

This was a huge step in Malware detection evolution, because when the execution environment is instrumented appropriately, it allows the observer to see the target software behavior after the malware unpacks its security layers. Today, dynamic analysis systems run the target software on virtual environments with hardware acceleration support (such as VMWare or VirtualBox), in order to observe the malware behavior during runtime. These often automatic systems are called Sandbox analysis systems, as they represent an isolated execution environment for malware that simulates a real victims machine (Executing malware on a prepared physical machine is possible as well, of course.). Using systems such as VirtualBox, the virtual machine (VM) state can be restored to a clean state by loading predefined snapshot files, thus allowing execution of numerous malware samples in sequence without the need to restore the infected machine. Of course, malware authors have adapted to the growth of Sandbox systems and introduced a variety of VM detection methods. If a VM environment can be detected, the malware may behave differently as it would be in the wild and do not show its true behavior.

The not-observed malicious functionality is what we call dormant code. These avoiding techniques range from delayed execution so called time bombs to complex system/hardware state detection methods. For example, if the real payload is not executed within a reasonable amount of time the analysis system will give up on the analysis and potentially miss valuable information. Thus, dormant code detection is a vital prerequisite to Sandbox systems. Analysis results get even better when dormant code is analyzed in-depth using runtime context information.

Combining both static and dynamic analysis (typical the term is Hybrid Analysis) in a fully automated, scalable and performing analysis environment is the next generation in malware forensics and detection algorithms.


31

In this article, we will take a look at why the dynamic analysis data is necessary to understand dormant code and how we can combine it with static analysis to extract in-depth behavior information.

TerminologyIn this chapter, the most important terms are outlined, in order for all readers to be at the same level when the terms are being used later in the article.

Static AnalysisStatic analysis can be described in the most general sense as code analysis without execution of the target payload. The target code (the analysis input data) may be a compiled binary file or a human-readable format, such as program source code, scripting language files or any other type of machine code representation. (N. Ayewah et al.) Define static analysis as a method that examines code in the absence of input data and without running the code, and can detect potential security violations, runtime errors and logical inconsistencies. (Nathaniel Ayewah, David Hovemeyer, J. David Morgenthaler, John Penix and William Pugh, 2008).

Dynamic AnalysisDynamic analysis can be described in the most general sense as code analysis during execution or emulation of the target payload. Involved techniques are usually implemented by tools such as execution visualizers, system observing tools (e.g. malicious behavior detection, intrusion detection, performance observation, etc.), profilers or other types of behavior analysis tools (e.g. sandbox systems). The only known technique used for performing dynamic analysis is instrumentation of the target code or its host (i.e. instrumenting the Operating System (OS) to enable system-level profiling of the suspect application), in order to profile the target codes behavior (Kendall, 2007). Instrumentation refers to techniques that insert additional code for analysis purpose (or instrumentation code) into the target code, in order to measure client performance, detect bugs or intercept code-flow in order to analyze certain behavior patterns. In malware analysis, behavior patterns are often the most interesting.

Dormant CodeDormant code or dormant functionality in malicious programs is payload/code that is not observed during dynamic analysis. In the context of malware, dormant code (not to be confused with Software rot) may be hiding very interesting behavior that is not executed during analysis for whatever reason (e.g. due to virtual machine detection, a command and control server not being available, a long initial sleeping delay, etc.). We can say that every pure dynamic analysis containing No malicious behavior always contains some kind of dormant code (as the executed code coverage never reaches 100%) and sometimes malicious dormant code. As the False Negative case is to be avoided at all cost (i.e. thinking something is clean that is not), it makes sense to invest resources into detecting dormant code. This can be achieved by adding e.g. an additional static analysis layer on memory snapshots.

Side-Notes

Process memory context constantly changes. Thus, it is necessary to take memory snapshots at an intelligent point in time or with a high frequency to Catch e.g. unpacked code or injected ShellCode, etc. In a Perfect world with quantum processors, an analysis system would be able to observe any memory change and instantly analyze the entire process address space for all potentially executable code locations and not to make an impact on the performance.

Unfortunately, we do not have quantum computers and as such the need to require on heuristics and shortcuts, leaving room for mistakes. For example, analysis systems that run through thousands of files per day have an analysis time limit that they have to abide by. If nothing happens within the first ~5-10 minutes, it will be off to the next file and heuristics have to do the job. Thus, the better and more


32

intelligent the underlying algorithms and performance of the system overall is, the more files can be analyzed in a more complete and error-reduced fashion.

Of course, scalable systems and a lot of hardware can solve bad implementations to some degree, but there is always a limit in the real world hardware-wise and other bottlenecks surface on large parallel systems, i.e. quality starts at the lowest level keeping in mind a flexible architecture.

Hybrid AnalysisHybrid Analysis (HA) is something we call intelligent combination of static and dynamic analysis. It is a technology or method that can integrate run-time data extracted from dynamic analysis into a static analysis algorithm to detect behavior or malicious functionality otherwise not as easily possible. Often, the dynamic helper data resembles memory snapshots, runtime API symbol data (memory reference address values) and adding them as an input to a sophisticated static analysis engine (possibly including data flow analysis). For example, if a dormant code sequence executes an indirect call, it would not be possible to resolve the called function address without knowing the value read from a memory location at the point in time of execution (Using a memory snapshot from a later point in time is possible as well, if the value remains unchanged.). Even if we knew the value, it would not be possible to associate the called function address with a system call, if a mapping of memory references to symbol information is not available for the specific execution environment (The specific analysis reference is important, because techniques such as ASLR (Address space layout randomization) cause system API function addresses to be not predictable. As such, we always need to understand detected dormant code in a process context of a specific execution environment.).

Hybrid Analysis in ActionIn this section, we will apply the Hybrid Analysis techniques on an exemplary malware and evaluate the results in order to take a look at the practical side of the topic. In the previous section, Hybrid Analysis and its associated terms were outlined briefly.

ToolsBefore we get to the experimental results, the involved tools will be outlined briefly as follows:

VirtualBox

For our malware analysis example, we will be using VirtualBox as our preferred virtual machine environment. From the Oracle main page states that VirtualBox is a powerful x86 and AMD64/Intel64 virtualization product for enterprise as well as home use. Not only is VirtualBox an extremely feature rich, high performance product for enterprise customers, it is also the only professional solution that is freely available as Open Source Software under the terms of the GNU General Public License (GPL) version 2. (VirtualBox) Sounds good? It is good. Definitely good enough, to show what Hybrid Analysis (HA) is about.

StaticStream

StaticStream is our preferred static analysis engine, as it can take dynamic data (such as memory snapshots, symbol data) and put it together using HA technology. From the official webpage, it is described as the following: StaticStream is a high-performance static analysis engine that is written in C++ and can analyze x86 PE files, memory dumps or ShellCode. It uses a novel approach of combining dynamic data with state of the art static analysis techniques in order to detect and understand dormant code. It offers a wide range of configuration options and regular updates. (Payload Security)

Dynamic Analysis Tools

For run-time data capturing, we are going to use the Automatic Reverse Engineering Engine (AREE) Manager and Monitor binaries. These are two in-house tools used at Payload Security to generate dynamic data when running malware. These tools work similar to the Cuckoo Sandbox monitor library CuckooMon


33

in the sense that they detour calls at the application level, whereby the Manager is used to load configuration data and start the analysis. The monitor is a DLL file that is injected into the initial malware process and user-level hooks are applied to catch system API calls.

Also, whenever the malware tries to inject itself into another process (e.g. using a remote thread or other techniques), the monitoring is applied to the new target process. In order for our experiment to be successful, injected ShellCode, memory dumps, process context (loaded modules, registry accesses, mutants, etc.) and symbol information (module exports) are logged before the malware is able to modify/taint the data.

Why to Use our own Tools?

Basically, we only decided to use them, because the generated dynamic data has a preferred format that is understandable to StaticStream and we can show how HA works more easily.

If you want to replicate our experiment and want to try out the tools, feel free to contact us.

Hybrid Analysis vs. Matsnu TrojanNow, we know about the tools involved. So let us take a look at a real malware and see HA come into action. For our experiment, we decided to use a Trojan called Matsnu (MD5 e008e161cce090242262fc977b6fe707d3058cdaa3b5d5c3bab24c8c6b05ce9e) that encrypts files on the target drive in order hold the unencrypted data as a ransom. These are the steps we will be taking:

Install a VirtualBox instance with a typical OS, such as Windows XP

Load Matsnu sample on the virtual machine drive

Run Matsnu sample using AREEv2Mgr and inject AREEv2Mon monitor library

Let the analysis runs for a couple of seconds (it is enough), and then grab the generated run-time data

Take the grabbed run-time data and use it, to analyze memory snapshots using HA technology

Evaluate the results and draw a conclusion

First, let us install Windows XP and load Matsnu on the main drive. The following screenshot shows the system after setup, shortly before our analysis,

Figure 1. Start Screen after Installing Windows XP and loading matsnu on the main drive


34

As we can see, there is a shared folder (release) opens with the Manager and ready to start the Matsnu application. Also, we notice that Matsnu is using a PDF icon in order to mislead the Windows user into thinking it is dealing with a document and not an executable. As extensions are disabled by default, we cannot know at first sight that it is an executable.

In the next screenshot, we see the manager opens and uses the command

.run C:/Matsnu

To start analysis manually, there is also a command-line interface, but that is not outlined here.

Figure 2. Running matsnu from the Manager using the interactive mode

At this point, we can already observe an output folder AREE that has been created on the C: drive. It will contain all the dynamic analysis information. Also, the Matsnu file is missing. Checking the captured files in the AREE folder, we detect that this is implemented using a dynamically created batch, which is deletes itself after deleting the original file Matsnu.exe on the C: drive. Also, the batch file is executed from a duplicated process so that the original file is not in use by the OS. This is the batch file content:

:lif not exist C:\Matsnu.exe goto edel /Q /F C:\Matsnu.exegoto l:edel /Q /F C:\DOCUME~1\mjkdmjmj\APPLIC~1\5176313.bat

All in all, the malicious process duplicates itself upon startup then deletes the original file, but continues to exist. The PDF file is missing for the user and the malware authors probably assume that the user will continue with daily business not putting thought to what happened.

After running the sample for a couple of seconds, we abort the analysis, quit the VM and take a look at the captured dynamic data. This is how the dynamic data folder will look like:


35

Figure 3. Dynamic Data Folder

Table 1. Folders description Folder Descriptionapi Contains system calls and parameters bin Contains captured files (e.g. the *.bat file mentioned above)ctx Contains environment data (such as loaded modules, their symbols, registry

accesses, etc.)

dmp Contains memory snapshots of multiple framesshc Contains extracted ShellCodes

And the monprocs.csv file: contains an overview of all monitored processes. In this case, the contents are similar to the following (reduced version):

15539444-00013192,INJECT_NEW,c:\Matsnu.exe,\Device\HarddiskVolume1\Matsnu.exe,15540015-00013280,INJECT_EXISTING,C:\WINDOWS\system32\cmd.exe,\Device\HarddiskVolume1\WINDOWS\system32\cmd.exe,15540115-00001528,INJECT_EXISTING,C:\WINDOWS\Explorer.EXE,\Device\HarddiskVolume1\WINDOWS\explorer.exe,

Quickly, we see that Matsnu first runs the batch file and then injects itself into explorer.exe where it remains to execute most of its payload. This makes manual debugging with e.g. OllyDbg more difficult.

Consequently, we will first try to analyze the memory dump files (ignoring all system files) from the explorer.exe process using symbol memory references and module information as Context Information, which is one of the ideas of Hybrid Analysis. Specifically, we start StaticStream letting it analyze the last frame of the process (i.e. the last dump we logged before quitting the VM), because it often contains already unpacked code sequences. See the following StaticStreams output in a shorter form (passing by nearly 1.6 million instructions including data flow in an impressive ~3 seconds):

Welcome to AREE v2.1Starting analysis ...Adding undefined memory file 15540115-00001528.00000002.15561486.2B90000.00000040.mdmp (POI: 0, Executable: 1) for later analysisFound a hidden PE file in memory file 15540115-00001528.00000002.15561486.3730000.00000002.mdmp at 3730000Analyzing in-memory binary file 15540115-00001528.00000002.15561486.3730000.00000002.mdmpAnalyzing 1 exports1 of 1 exports acceptedNo packed files could be detectedRunning heuristic scan on binary file 15540115-00001528.00000002.15561486.3730000.00000002.mdmp


36

Generating final analysis reportNumber of passed instructions: 1660669Finished analysis in 3276 ms with a throughput of 445 KB/s

In the following snapshot, it is an excerpt of how one output folder with stream files containing disassembly listings looked like (a human-readable output is the default behavior):

Figure 4. Streams Folder File Listing

Hand-browsing some of the stream files quickly reveal that one portion of the streams contains encrypted payload and one portion contains unencrypted payload. Here are some of the more interesting functions that could be used for post-processing to generate behavior signatures or used as an entry point for an additional manual analysis:

Figure 5. Persistence using RegCreateKeyEx


37

The above code sequence (or Stream) shows the call to RegCreateKeyExW at ADVAPI32.dll that would not be detected using pure static analysis, as the indirect call memory reference would not be resolved. In this case, the creation of a registry key and a registry key value was set during execution, as indicated by the dynamic analysis registry log file (i.e. the associated code sequence is not dormant code):

Figure 6: Persistence using Registry

And by converting the hex values to ASCII reveals the following pathway:

C:\Documents and Settings\mjkdmjmj\Application Data\Microsoft\qfpvideo.exe

Matsnu obviously tries to survive a reboot by adding itself to the auto-start registry, which is a very common technique. Checking more streams, another interesting was found quickly. It is the function that encrypts the Command & Control server requests before sending the data over an alternate HTTP connection.

Figure 7. Encrypting Payload before C&C request

The code location above is a good starting point to check cross-references and intercept the encrypted key creation (of course, this requires a flexible monitor system). Also, please note that using a run-time capturing mechanism located at the kernel level, such a system would not be able to capture the unencrypted data without hooking into the user mode and becoming detectable again.

Today, more and more malware is using encrypted traffic (not only HTTPS, but the payload itself being encrypted as well), making it necessary to move closer to the malware code itself, as encryption/decryption of important system data happens at the application level.

Side-Notes

The HA technology also revealed the following, C&C server IP addresses using the alternate HTTP port 8080 are as following:


38

50.31.146.134:8080204.197.254.94:808078.129.181.191:808027.124.127.10:8080173.203.112.215:8080

50.97.99.2:8080103.25.59.120:80805.135.208.53:808050.31.146.109:8080204.93.183.196:8080

And a lot more interesting dormant code sequences, which are not outlined here.

ConclusionAlthough the Matsnu Trojan is not the most sophisticated malware available today, it is a good example because it reflects the typical and state of the art aspects. The traffic communication uses encrypted payloads, it tries to hide its payload injecting itself into a variety of processes, it decrypts its payload inside the explorer making manual debugging difficult, and so forth. Using some run-time data capturing tools, we were able to extract a lot of information, including dormant code and complete symbol information. Of course, the dynamic analysis tool was required to follow the malware into the explorer and remain undetected. As a next step, the static analysis engine StaticStream associated run-time data and generated code sequences for post-processing quickly, allowing us to find valuable analysis entry points and behavior data otherwise unseen by a pure dynamic analysis engine.

In general, we can say that static analysis is good, if the to-be-analyzed data is not encrypted, not obfuscated and available in a more or less complete manner, etc. Sadly, this is not often the case with malware today. Furthermore, we can say that dynamic analysis is good as well, but it misses dormant code and potentially malicious functionality. As we cannot make any qualified statements about the unknown, it is impossible for a pure dynamic analysis system to safely make a statement about a file being benign/clean, because maybe the real payload was never executed.

Thus, new Hybrid Analysis (HA) technologies are not only a necessity, but part of a future solution in the battle on malware. Due to the additional overhead imposed by hybrid technologies, very efficient and performance-oriented algorithms are necessary, especially if viewed on a large scale.

SummaryIn this article, we outlined that todays malware development is opening up new challenges for malware analysis systems. In the early days, simple static analysis byte patterns were enough to detect and classify malware. Then, as malware became more sophisticated, dynamic analysis systems that observed run-time behavior surfaced. The dynamic analysis systems have evolved and are a powerful tool today, but their impact is becoming more and more limited. Today, neither static nor dynamic analysis alone is an effective weapon against modern malware. Dynamic analysis environments are either being detected and/or malicious dormant code is not being analyzed, due to time-constraints or unpredictable code flow behavior. Using intelligent algorithms and Hybrid Analysis (HA) technologies, the best of both worlds can be put together: first-pass checks, analyzing/logging run-time behavior, as well as detecting and understanding dormant code functionality.

In this article, we showed that Hybrid Analysis is an answer, if the run-time data captured has a sufficient quality and the static analysis engine is flexible enough to produce usable analysis results that can be post-processed to generate signatures or indicators.

About the ToolsIn this article, we put focus on a static analysis engine called StaticStream. It is a product of Payload Security and makes automatic and efficient Hybrid Analysis available to dynamic analysis systems and analysts. Its easy interface, high configurability and flexible data stream processing architecture make it an interesting option to upgrade any dynamic analysis system for challenges today and tomorrow.


39

On the WebMore information on StaticStream is available on the web at www.payload-security.com

Bibliography Borglund, J. (2014, April). Top 5 Most Costly Viruses of All Time. Retrieved April 2014, from TopTen Reviews:

http://anti-virus-software-review.toptenreviews.com/top-5-most-costly-viruses-of-all-time-pg5.html Cuckoo Sandbox. (n.d.). Malwr Malware Analysis by Cuckoo Sandbox. Retrieved June 24, 2014, from https://

malwr.com/analysis/YjQzNzExNjcwMDQyNDBhMmJmOTFhN2Y4ODk5ZmQ0NGM/ Kendall, K. (2007). Practical Malware Analysis. Mandiant, Intelligent Information Security. Nathaniel Ayewah, David Hovemeyer, J. David Morgenthaler, John Penix and William Pugh. (2008). Experiences

Using Static Analysis to Find Bugs. NetMarketShare. (2014, April). Desktop Operating System Market Share. Retrieved April 2014, from http://www.

netmarketshare.com/ Payload Security. (n.d.). Payload-Security.com Combining Static and Dynamic Analysis Intelligently. Retrieved

June 24, 2014, from http://www.payload-security.com/ SecureList. (2014, April). Internet threats statistics. Retrieved April 2014, from SecureList: http://www.securelist.

com/en/statistics#/en/map/oas/month VirtualBox. (n.d.). Oracle VM VirtualBox. Retrieved June 24, 2014, from https://www.virtualbox.org/

About the AuthorJan Miller is a specialist for static binary analysis algorithms, reverse engineering and malware signatures. He is the CEO and founder of Payload Security UG (haftungsbeschrnkt). Over the past two years, he has been putting focus on Android based malware, as well as implementing Hybrid Analysis technologies for a leading dynamic analysis system.

Come to Big Data TechCon to learn the best ways to: Process real-time data pouring into your organization

Master Big Data tools and technologies like Hadoop,Map/Reduce, hbase, Cassandra, NoSQL databases and more!

Learn how to integrate data collection technologieswith data analytics and predictive analysis tools toproduce the kind of workable information and re-ports your organization needs!

Collect, sort and store massive quantities of structured and unstructured data.

Looking for Hadoop training? We have severalHadoop tutorials and dozens of Hadoop classes toget you started or advanced classes to take you tothe next level!

Understand HOW to leverage Big Data to help yourorganization today

The how-to technical conference for professionalsimplementing Big Data

Attend Big Data TechCon!

Great conference. I took a lot away from allof the talks I attended.

David Hollis, Consultant, Raybeam Inc.

You will great insights and the speakers willput you on the fast track.

Chandrashekhar Vyas, Solution Architect, Diaspark

Big Data TechCon offers great technologydepth.

Rahul Gupte, Associate Director, Deloitte

Big Data TechCon is a trademark of BZ Media LLC.

A BZMedia Event Big Data TechCon Become a Big Data Master!

San FranciscoOctober 27-29, 2014

www.BigDataTechCon.com


41

IPv6 The Future of Data Protectionby Nevalennyy Alexander CISO at LLC ATAK (Auchan group)

This article will show the readers not something a deep technical, but a global conception by short thesiss of protection from malefactors.Before we start describing profits of the latest version of the Internet Protocol Ipv6 for information security (IS) and however it is known to be long time famous topic, we should understand which IS problems are very topical and emerging today.

The fraud in IT scope is a very complex problem for commercial companies including banks. It is being connected with problems of malefactor identification. A malefactor usually uses a lot of proxies called anonymous proxy (one by one) from different countries for hiding his real IP address and making himself anonymous as in picture 1 Malefactors anonymity. Some malefactors prefer using anonymity nets like TOR or I2P, but they have the same structure as a chain of proxies.

Figure 1. Malefactors anonymity

Here are several issues with the current system of IPV4:

There are no international arrangements about looking out malefactors. It will take a lot of time if malefactors use many proxies (for example: the rout may be as China->Australia->USA->Russia->South Africa), Imagine! An investigator for example will have to request information about IPv4 addresses from different countries step by step and there is a chance that one of them will refuse to provide him any information about an IP address according to country regulations.

There are no international standards about the IPv4 pool allocation instead of the similar telephones pool (as USA has a code of +1). For example, if we know the number of mobile telephone, we can find somebody or detect the region by the information from the contract between both the provider and the client.

Usage of the Network Address Translation (NAT), that helps malefactors to change (or to hide) their IP addresses since IPv4 has a small pool of addresses and without NAT, we cannot build connections between the local and global networks.


42

Coming back to our main topic, we can see that all those sample problems can be easily worked out if we followed those sample steps:

Start using IPv6 instead of IPv4 since it has an extremely larger pool of addresses.

IPv6 was developed like the improvement IPv4. And some large companies like Google started using this one in their network.

There are an international standard for IPv6 pool allocation.

Using an IPv6 prefix to identify the country, city, etc.

For example:

Russia, Moscow (7495::/16)

USA, Los Angeles (1243::/16)

Thanks for this idea of my science tutor Melnikov Dmitriy from NRNU MEPhI!

Extra consequences:

Providers will be able to sell IPv6 addresses for clients like they do with telephone numbers.

Hence, the following privileges can be obtained by employing IPv6:

Make international arrangements about finding malefactors. This will in making crime information exchange between different countries easier. This problem must be solved in one organization like the United Nations.

Using routers and firewalls between virtual networks of different countries for closing malefactors traffic. It makes real boarders on the Internet like Golden Shield Project in China

Agreement on one common internet police (Like the Interpol in reality), that helps to centralize information in one organization and helps in making cross-border crime investigations become more and more easy.

NAT must not be allowed for using. This one is the most important factor than all the above. Without NAT, all malefactors will not be able to hide their addresses via anonymous proxies or anonymous nets. Otherwise, pool allocation will not help with deciding on the IS problems.

Conclusion Without NAT malefactors will not be able to be anonymous.

According to international standards and arrangements, malefactors can be identified. IPV6 prefixes will show the original country and city of the malefactors and then the providers contracts with the clients will reveal information about a company or a person.

Internet is becoming to have real borders.

About the AuthorAleksandr works in the field of Russian Banking Security, sector: compliance and risk management. He has a good understanding of business needs according to real threats. He worked for BANK OF CHINA (ELUOSI). He understood the differences between West and East principles of IS governance so that he can easily organize IS infrastructure. Currently, he works at ATAK Group Auchan.


44

Running Kali on a Raspberry Pi in Headless Modeby Dr. Hani Ragab

We created this tutorial because simply, we could not find an all-in-one-place tutorial when trying to setup Kali on a Raspberry Pi (RPI). We have read several guides and forums to collect & compact the information compiled for you here. So we would like to start by acknowledging the contributions of all original authors from those sources.

For all provided Linux commands, we assume you are logged in as a root mode, if not, please enter this mode by sudo.

Install Kali on a Raspberry Pi First, you should download the Kali Raspberry Pi image. This image has the Secure Shell (SSH) enabled

by default from here: http://www.offensive-security.com/kali-linux-vmware-arm-image-download/

Then, Unzip the image (you might want to use Winrar if under Windows OS)

Under Windows, use the Disk Imager software in order to write the image to a SD card from here: http://sourceforge.net/projects/win32diskimager/

Class 10 cards (minimum of 10MB/s for both read and write operations) and a minimum of 4GB is required are highly recommended by Offensive Security and Kalis creators.

Once installed, you should run the Disk Imager as Administrator. Also, Make sure that the device selected for writing is your SD card and browse to your image, then press write.

If you are using Linux, you should run the following command to write Kali-RPI.img to your SD Card (in our example, it is in /dev/sdb, make sure you use the right path) as follows:

# ddif=Kali-RPI.img of=/dev/sdb bs=512k

This will write the input file (if flag) Kali-RPI.img to the output file (of flag) /dev/sdb, with a block size (bs flag) of 512KB.

Once the image is written, unplug the SD card from your PC, plug it into your Raspberry Pi and boot it.

Connect to Kali and Configure SSH Use an SSH client to connect to your machine. If you are using Windows, Putty is quite common as in:

http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

Now, we need to find out the IP address or the host name of your SSH Server (on the Raspberry Pi). In headless mode, there are several ways to do that:

You may simply use the default host name kali as shown in Figure 1 (you can ping kali to get an IP address if needed)

If this does not work, you may also connect to your DHCP server (e.g. your wireless router) and find out your devices IP address:


45

Open a browser and navigate to your home hubs IP address. Your wireless router is generally at 192.168.1.254 (if it doesnt work try 192.168.1.1 as well)

Or, if you want to go wild, scan your LAN using a ping sweeper (WARNING: do not do this unless you have a formal authorization from the infrastructure owner).You can use Nmap for that, and if we assume you are on the 192.168.1.0/24 network, just type the following command:

# nmap -sP 192.168.1.0/24

Figure 1. SSH to Kali using Putty

If you have a keyboard and a screen attached to your RPI, you can simply use the ifconfig command as well.

When connecting to Kali, you will be prompted with a warning, just click on OK (this is because your client does not know the public key of the server yet).

Then, you will be prompted for a user name and a password; the defaults are root with the password toor.

Now, the first thing you need to do is to renew the SSH keys (they are the same for all Kali installations that are made from the Raspberry Pi image; it is a serious breach for your security if you keep them on this setting), renew them using the following commands:

This command removes the current server keys,

# rm /etc/ssh/ssh_host_*

This command regenerates the server keys:

# dpkg-reconfigure openssh-server


46

This command restarts the SSH server, so as to use the new keys for all new sessions:

# service ssh restart

Finally, set your root password to a strong one (no, not a1b2c3) using the command:

# passwd PASSWORD

At this point, you can securely connect SSH to your Raspberry Pi. Next time, you SSH, you will see a warning, simply click on OK (the warning is displayed as the servers public key has changed since your first connection).

Setup a VNC Server on KaliThe Virtual Networking Computing (VNC) provides a graphical desktop to the remote machine where you can use your mouse and keyboard as if you were on a local machine. In order to use it, we need to first install a VNC server.

Install the Tight VNC Package using the command:

# apt-get install tightvncserver

Run the Tight VNC Server, it will prompt you to enter a Password and an optional View Only Password as follows:

This command creates your VNC desktop settings file /root/.vnc/xstartup,

# tightvncserver Side-NoteYou can change your VNC password later on by entering # tightvncpasswd.

Finally, Kill the desktop you just created (further installations and modification to xstartup need to be made before using it) through the command:

# tightvncserver -kill :1

Desktop ChoiceThe default desktop for the Kali RPI image is XFCE. If you want to use it, follow the instructions in subsection 1and and skip the Use the LXDE Desktop subsection. If you prefer to use the LXDE desktop, skip the Use the XFCE Desktop subsection.

Use the XFCE DesktopIf you want to use the default XFCE desktop,

Open /root/.vnc/xstartup (that will be created when you run tightvncserver for the first time)

Then, comment out the last line by prep-ending # to it, and add the line /usr/bin/startxfce4. Your file should look like:

#!/bin/shxrdb $HOME/.Xresourcesxsetroot -solid grey#x-terminal-emulator -geometry 80x24+10+10 -ls -title $VNCDESKTOP Desktop &


47

#x-window-manager Fix to make GNOME workexport XKL_XMODMAP_DISABLE=1#/etc/X11/Xsession/usr/bin/startxfce4Side- Notes

You can edit the file by running the following command:

# nano ~/.vnc/xstartup

When your modification are done, save by entering ctrl+X, followed by y and enter.

If you are addicted to vi, then you should run

# vi ~/.vnc/xstartup

If you are using Putty, and vi is acting in an unexpected way (e.g. direction arrows do not work), you can install vim by the command:

#apt-get install vim

Or, if you do not want to install vim,

hakin9_en_05_2014 (1)

Documents

smartphonetablet security

mobile security processes

esecurity market

fix security defects

interoperability of

governance rules

big data cloud

byod programs