Friday, January 27, 2006

Black Hat Federal 2006 Wrap-Up, Part 3

Please see part 1 for an introduction if you are reading this article separately.

Staying on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rootkit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me, I next heard Joanna Rutkowska discuss "Rootkit Hunting vs. Compromise Detection." She has done some impressive work on network-based covert channels, but she is also a rootkit guru. Joanna talked about "Explicit Compromise Detection," and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need to scan kernel memory for integrity checking. She challenged many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ideas of traditional rootkits, such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need to survive a reboot, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desire to hide processes, open sockets, and so on. It seems like her new DeepDoor rootkit is an all-in-one package that hooks cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows Network Driver Interface Specification (NDIS) code by modifying four words in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NDIS data section of memory.

She demonstrated her ddcli client talking to a DeepDoor'd victim. The client communicated with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server over port 445 TCP. Fair enough, but port 445 TCP was also able to handle normal SMB traffic, even with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rootkit active! That is insane. She showed how her rootkit could still function even with Zone Alarm denying access.

Joanna emphasized that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no safe way to read kernel memory on Windows. She said that even reading physical memory can be tough. She requested that Microsoft implement a means to let third party vendors reliably read kernel memory. She said that such a new feature would not aid attackers, since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do not care if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir unreliable methods end up crashing a target. A security vendor, however, must take extra care. Joanna noted that next generations operating systems should ship with more than two CPU privilege modes, and that Trusted Computing will not prevent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks she described. She mentioned cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 introduction of a hypervisor that runs at ring -1 (todays systems descend to ring 0). Joanna also postulated that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re may be a finite number of places for malware to hook an OS, so perhaps it would be helpful to enumerate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in a public place. A related project is her Open Methodology for Compromise Detection.

Joanna was not able to release her DeepDoor rootkit for reasons of "NDAs." She was also not able to discuss ongoing work on network covert channels for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same reason. On a personal note, I spoke with Dave Aitel (note he has cut his hair WAY back from what's shown in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 photo!) who had a tough time pronouncing my name. I guessed that as a fellow Eastern European (I'm American but my ancestors are from that area), Joanna (who is Polish) would be able to pronounce "bate-lik." Joanna was sitting nearby, and sure enough, she could!

After hearing about rootkits for three straight talks, I took a break by hearing Simson Garfinkel discuss new directions for disk forensics. (He reminded cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience of his company Sandstorm Enterprises, and I learned by speaking with him that he sells a laptop version of NetIntercept for consultants like me. )

Simson spoke for a long time discussing his ongoing used hard drive analysis project. He introduced his cross-drive forensic analysis methodology, which involves finding interesting data on groups of hard drives. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most powerful techniques was building histograms of email addresses. On a single hard drive, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most frequently seen email address is usually cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 address of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hard drive owner. He also searched hard drives for patterns associated with credit cards. The interesting aspect of this sort of analysis is that he is reviewing raw data in all cases, such that he can even review something like an Oracle data drive that has no conventional partitions.

I was most excited to hear about Simson's Advanced Forensic Format project. He noted that images produced by dd are big and contain no metadata. Proprietary formats like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Encase E01 are "bad an undocumented." Simson promotes AFF as an open standard that will be intergrated into a future release of Brian Carrier's Sleuth Kit. AFF contains tools that do more than efficiently image and describe drives. They acquisition tools can even help bring old drives to life by pulsing and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise manipulating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

The most thought-provoking aspect of Simson's presentation was his discussion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market for used hard drives on eBay. He says people pay unreasonable amounts for small old hard drives, and defintely odd amounts for hard drives reported as broken. The implication is that those hard drives might be bought by criminals hunting for sensitive information. (Simson gave examples of such data during his presentation.) He is working to educate people that "format" does not mean "erase," and he hopes Microsoft will replace cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current format command with a tool that truly zeroes out a drive. Simson also said he is unaware of any technique to retrieve data from a zeroed-out hard drive, saying that Peter Gutmann's 1996 techniques would no longer work on drives built since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 density of modern drives.

No comments: