FgScanner included in BlackArch Linux

FgScanner has been included in BlackArch Linux. What is BlackArch Linux ?

“BlackArch Linux is a lightweight expansion to Arch Linux for penetration testers and security researchers.

The repository contains 1059 tools. You can install tools individually or in groups. BlackArch is compatible with existing Arch installs. For more information, see the installation instructions. Please note that although BlackArch is past the beta stage, it is still a relatively new project. To report bugs and request new tools, please visit the issue tracker on Github, stop by IRC, or email us.”

[Read more...]

Malware related archives decryption using strings command

Cyber attacks landscape is evolving rapidly, reaching high levels of sophistication and complexity in order to exploit and breach enterprises, government entities, universities, financial institutions, etc… even in presence of properly designed and well maintained defense-in-depth strategies. Basically the main stages of a targeted attacks attack can  be summarized in the following five steps:

  • Investigate
  • Infiltrate
  • Explore
  • Exfiltrate
  • Maintain Access

Each stage needs advanced tools and techniques in order to be completed stealthy and often the tools are very specific for each target. In many cases, that tools are created and coded by cybercriminals few hours ago before their deployment in the targeted network to avoid detection systems and signature based analysis. Besides these tools, however, are also used commercial utilities to perform many other activities like encryption, packaging, remote exec, remote access, etc…

RAR and ZIP archives are commonly used to compress and encrypt stolen data during the exfiltration phase of the attack. RAR format is preferred to ZIP thanks to it’s AES-256 encryption, command line utilities for many architectures and operating systems, archive-content encryption, etc…

Very often this archives are generated automatically by malware, scheduled tasks, command line utilities or attackers actions and could be identified by the filename structure in the infected filesystems or after a Forensics Analysis: YEAR_MONTH_DAY_USERID_HOSTNAME.RAR or similar as example.

If the archive content listing is blocked or encrypted, we cannot understand which data are included in the stolen archives and we have to start a password recovery task in order to open the files.
There are several options to achieve the goal:

  • free or commercial tools on a single host
  • commercial tools for distributed tasks over several machines
  • online password recovery services
  • GPU cracking utils
  • hardware acceleration based on FPGA

Each method listed above could require hours, days, months or years to be completed depending on the password length and/or complexity used to protect the files, but we can speed up the process using a very specific dictionary file containing malware-related strings.

[Read more...]

Windows 8 upgrade: the nightmare begin

Some days ago I was asked to help a friend to choose a new laptop: she explain me her budget, the target applications and her needs. At the end of the scouting process we decide together to buy an Asus N550L notebook.
The configuration is awesome: Intel i7-4500U, 8Gb RAM, 1Tb hard drive at 5400rpm (this is the real bottleneck!!!), Nvidia Geforce 745M with 4Gb, Bluetooth 4.0, aluminium case everything packed in a 15,6″ form factor.

First of all I would like to buy a Windows 7 Professional license and downgrade the system but the vendor told me that Windows 7 is not supported by Asus on N550L. Searching on Asus website I found drivers and utilities for Windows 8 only…….I’m really disappointed about this because I’m quite sure that Windows 7 is not yet in End Of LIfe ! Anyway: I move on B plan and I decide to upgrade to Windows 8.1 Update 1 a suggested by Microsoft in order to work in Desktop mode….I’m sure she will appreciate the “new” look’n’feel…

At 5pm I start the laptop unboxing (the Asus package is very well done and really accurate) and the first Windows setup. I click on the Store box in order to start Windows upgrade, but the system require to have all the last updates installed before start. The first round was composed of about 80 updates…..and require a reboot. The second round was composed of about 20 new updates….and require a reboot….the last round was dedicated to drivers upgrade and require a reboot. Well done, after about 1 hours installing updates and rebooting the laptop I’m finally ready to start the upgrade. I choose the upgrade box in Microsoft Store and the system told me that it needs to download 3,2 Gb ! Really 3,2 Gb ! This is an upgrade ? And what about a fresh install instead ? Crazy…. As probably you know in Italy we are not famous for ADSL broadband connections speed (we are not famous for many others things but doesn’t matter) so the download has required about 2 hours on 7Mbit/s….

[Read more...]

Cyber threats landscape and defense workshop

The Cyber threats landscape and defense workshop was held April 14th at ISIS “C. Facchinetti” Institute.
The two-hours workshop was intended to illustrate and explain the evolution of cyber threats in the last years and the current scenario.

About 50 participants attend the event and follow the topics explained: from the first virus created in 1971 (Creeper was the first self-replicating program created by Bob Thomas targeting TENEX Operating Systems, but many people believe that Brain was the first virus coded in 1986) until the modern APT (Advanced Persisten Threats) attacks, supported by interactive sessions, a live demo and a great movie produced by TrendMicro (you can watch the entire movie in HD on YouTube).

Today we can all be victims of cyber criminals but we can be a little bit safer if we pay attention to our digital behaviors and we know the threats coming from technologies we are using every day. Security awareness and user behaviors represent one of the most effective defense against cyber crime, probably more than the most advanced security technology. We must protect our data starting from the Layer 8 in a top down approach :)

All the slides displayed during the workshop are now available on SlideShare.

Feel free to contact me if you have any questions, suggestions or requests.

Heartbleed Testing and Detecting

A critical vulnerability has been identified in OpenSSL versions 1.0.1 – 1.0.1f (CVE-2014-0160) and it is well explained on HeartBleed website. Exploiting the HeartBleed vulnerability. Basically, an attacker can exploit this vulerability to access memory data up to 64Kb and perform many attacks:

  • Read SSL private keys (and use it to decrypt past, present and future encrypted traffic)
  • Retrieve clear text username and passwords
  • Access source code

There are many resources available online to better understand how the bug works and how to fix it (upgrading to OpenSSL version 1.0.1g or newer) as explained on OpenSSL website.

  • Upgrade to OpenSSL 1.0.1g
  • Regenerate your private keys and consider it as compromised
  • Replace SSL certificates
  • If possible upgrade to Perfect Forward Secrecy (PFS)

How can I test if my systems are vulnerable ?

[Read more...]