Thursday, 20 February 2014

Applied Academics - Papers and Presenations

%                        APPLIED ACADEMICS                      %

I have been receiving a few requests for a presentation that I did at ZAcon V (2013) and the accompanying white paper (which is a hack of my ISSA talk on the same subject), so if you are interested, both can be found at the link below.

File Repository

Monday, 13 January 2014

Community seeking revolution - must bring own tools

***********                          *************
*********** I have no words for this *************
***********                          *************

Many of us have gone down the ISC2 rabbit hole. Like it or not, the CISSP is a necessary set of letters for anyone that whats to work in enterprise. Can you get by without it? Of course. Does it make your life easier? Of course! Is it useful? I am not sure.

I pulled my CISSP having never formally studied security or CompSci for that matter. I was a Linux System Admin that had a love for security things, and a friend of mine suggested the CISSP as a way of breaking into the full-time security gig. The result is that when I studied for my CISSP, a lot of the information was helpful. It is for that reason that I have been pro-CISSP. 

Since strapping those five letters to my CV I have also knocked out the ISSAP concentration, which was an exercise in wasting money. The content is a carbon copy from the relevant CISSP chapters and in my region (South Africa) it adds nothing to your arsenal of HR/headhunter dam-busters. The concentrations feel like an overachiever tax; imposed on those that are stupid enough to want to elevate their 'gold standard' certs (present company included).

I say that I am pro-CISSP, but I am not pro-ISC2. Last month I attended the local ISC2 conference only to find that the keynote was a rehash of not only industry knowledge but the sort of thing that I would expect to read on Bloomberg. Information that is so well known that major news releases have latched onto it. There was absolutely no content relating to the future of InfoSec from a technology or social (job market) point of view.

In other words, it was a complete waste of time. Sure, it was free because I am a member but those are my subs hard at work. Then I read this headline from the ISC2 Quarterly Insights email this morning: "Your Boss Just Asked About Bitcoin. Now What?".

This perfectly captures the ISC2 mentality at the moment. In a post-TOA world the best Insight that they can carry is how to avoid looking stupid in front of the person that signs off your salary and study budget.

I know that there is a crusade being lead by some of the community, focusing on reelecting board members that are attuned to what is happening in the Scene, and I wish them luck, but I have decided that once I finish my PhD I will give my CISSP-ISSAP a viking funeral. Of course I was silly enough to get the titanium wall plaque, so if anyone has some thermite that they wouldn't mind gifting me it would be greatly appreciated...

Monday, 2 December 2013

Hello Bill? Can you please ignore this for us? Love, NSA

||                                                   ||
||   _       _--""--_                                ||
||     " --""   |    |   .--.           |    ||      ||
||   " . _|     |    |  |    |          |    ||      ||
||   _    |  _--""--_|  |----| |.-  .-i |.-. ||      ||
||     " --""   |    |  |    | |   |  | |  |         ||
||   " . _|     |    |  |    | |    `-( |  | ()      ||
||   _    |  _--""--_|             |  |              ||
||     " --""                      `--'              ||
||                                                   || 

I was reading a post by Bruce Schneier this morning regarding the NSA's perceived influence over AntiVirus companies. The 30 second version is that after we have learnt that the NSA secretly weakened the internet's security so that it would be easier for them to eavesdrop, could the NSA have employed a similar tactic on AntiVirus vendors and state-sponsored malware.

The concept is simple: NSA builds Malware X, and tells AV companies to not flag X as Malware. Bruce writes that he joined a group of security experts that asked AV vendors if they have been approached by state organs, and were asked to turn a blind eye to their malware. The answer was a unilateral "No", and an answer that Bruce tends to agree with because, and I quote "My guess is that the NSA has not done this, nor has any other government intelligence or law enforcement agency. My reasoning is that antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies."

I also agree with this - it would be too difficult to convince many multi-national companies to circumvent their security and keep it quiet. But what if there was a way to reap the same results, and do so by only approaching one USA based company? If I was the NSA I would have gone straight to Microsoft and 'convinced' them to apply some binary trickery to my Malware at the kernel level.

Now I will be the first to admit that I am not a kernel-level or a deep Windows coder so this could very well be impossible, but I am fairy confident that this could be done and because it is closed source, it could be kept fairly safe. I also have zero proof of this (accusations are fun without evidence!) so I am not claiming that this is happening right now. All that I am saying is that the NSA would not have needed to target AV vendors to make their malware invisible.

Tuesday, 15 January 2013

Many Bee's make quick work. Parallel python scripting framework with pprocess

     ^^      .-=-=-=-.  ^^
 ^^        (`-=-=-=-=-`)         ^^
         (`-=-=-=-=-=-=-`)  ^^         ^^
   ^^   (`-=-=-=-=-=-=-=-`)   ^^                            ^^
       ( `-=-=-=-(@)-=-=-` )      ^^
       (`-=-=-=-=-=-=-=-=-`)  ^^
       (`-=-=-=-=-=-=-=-=-`)              ^^
       (`-=-=-=-=-=-=-=-=-`)                      ^^
       (`-=-=-=-=-=-=-=-=-`)  ^^
        (`-=-=-=-=-=-=-=-`)          ^^
         (`-=-=-=-=-=-=-`)  ^^                 ^^
     jgs   (`-=-=-=-=-`)

Many Bee's make little work, which is why I found myself looking for more workers instead of bigger workers.

The problem is that, as part of my thesis, I need to crunch 1TB's of data in three separate instances, each taking in excess of 12 hours. This is far too long.

The problem is that tshark is single threaded, making additional processing units useless. Since my ESX server is not to big on the Ghz, but bloated in the cores department I needed to find a way to improve the performance without busting the bank with a quicker CPU.

I have also been learning Python, so I figured this was a prime time to flex my newly developed Python muscles!

Quick disclaimer though: I am NOT a python genius, nor am I a guru of coding. This code is functional but far from perfect, and all that I hope is that someone else will be able find some usability in this snippet.

Here is the script:

import subprocess
import os
import pprocess
import time
start = time.time()
def wshark(pcap):"/usr/bin/ {0} ".format(pcap), stdout = open( 'log.txt', 'a'), shell=True)

directory_loc = "/warehouse"
file_list = []
for path, subdirs, files in os.walk(directory_loc):
    for name in files:
        file_list.append(os.path.join(path, name))
# Parallel computation:
nproc = 3       # maximum number of simultaneous processes desired
                        # available cores -1 is preferable after testing
results = pprocess.Map(limit=nproc, reuse=1)
parallel_function = results.manage(pprocess.MakeReusable(wshark))
[parallel_function(args) for args in file_list];  # Start computing things
parallel_results = results[0:len(file_list)]
print 'It took', time.time()-start, 'seconds'

The quick and dirty explanation is as follows:
Imports are pretty standard, apart from pprocess, which allows for easy multi-proc commands. I then defines a function wshark  which accepts one argument, a filename that is in a pre-populated list. The function uses the python built in function to fire off a system process. 

stdout=open('log.txt','a') logs all the standard input to a file named log.txt, and does so in append mode. file_list is the list that is populated with a list of files in a directory named /warehouse.

Now the pprocess magic starts. My knowledge here is functional only, so I will hopefully relay that functional approach here.

nproc = 3 defines the amount of cores that you want to use in parallel (from experience max cores - 1 is preferable).

the results function and pprocess.Map enables pprocess to take control of the parallel management. limit=nproc sets the max active process while reuse=1 allows the pprocess to recycle the threads as they finish.

[parallel_functions(args) for args in file_list runs through the list of files and drops them to the wshark function.

The last bit had me stumped for a bit, but here is what you need to know to get this working. If you are blowing through a list like I am, then parallel_results = results[0:len(file_list)] will do it for you. I am not quite sure how, but iterating through the entire results list does the job.

Finally, the last line will tell you how much time you saved with this great method!

Wednesday, 3 August 2011

Jooma-Autoheal v0.01 - White blood cells for Joomla injection redirect

@@'.  ;'@@@@@@@@@@@@@@@@@@:,  `:@@
+''''''''''';:;#@@:` .:::::::::::'

Joomla and Word-Press are excellent for rapid deployment and giving a customer something useable, very quickly, with minimal effort, but it is particularly good for family members and friends who ask you for help with an idea for a website. Unfortunately the cons (meaning vulnerabilities) often out weight the pros of J and WP.

Updates are frequent but if your Joomla deployment is for friends and family that have loaded extensions and plugins from all over the show, you need to really dedicate some time to making sure they are all up to date and secure, or else it is only a matter of time till you get hacked by some script kiddie - which is exactly what happens to me every now and then.

My Joomla platform hosts some websites that people in my personal life have asked my help for, and not being a professional website admin, and having a demanding job in security, I do not have the time to watch over these sites like the security hawk they need. The sites are often behind on their patches because the site owners know very little else about the back end except how to make a post or upload an image, so the numerous plugins and extensions that have been loaded stay at the inevitable vulnerable version number.

So, every now and then I'll log into the site via a Google search and see that it now redirects to some malicious site, which tries some other attack vectors against the browser. Not great...

The culprit is a write access vulnerability somewhere in Joomla core/extensions/plugins that allows the attack to insert a string that redirects HTTP requests that are being referred from Google to a compromised web server. The redirect is also encoded in Base64, meaning that it can be quite difficult to track it down the first time it happens to you.

What I have done to address this is to write a script that automatically checks my web server directories for the malicious base64 code and attempts to remove it from the file, cleaning the infection.

This is far from perfect, but the reality is that I do not have the time to admin these sites, and I am sure that there are a lot of other IT professionals that have the same problem. It is for that reason that I have uploaded the script to Paste Bin where you can copy it off and dump it in to your cron