Monday, December 19, 2011

Tools and News

So first an announcement. At the beginning of December (or close to that) I left my previous position and went back to KoreLogic Security, where I will be working to start up their malware services group, amongst other things. While I am definitely missing my old co-workers, this is a good move for me. Look for some interesting posts here.

A few weeks ago I tweeted: Want to find out how good someone is? Take away all their tools and say, "Now do it.". I wanted to make expand upon that because I got into a good discussion with @jwgoerlich and @rogueclown concerning it, and its hard to really explain what you mean in 140 characters or less.

A few years ago, Harlan Carvey posted about "Nintendo forensics". This was a statement that the forensic industry was becoming more "point and click" and analysts were understanding less and less of what the tools were doing. While some signs have pointed that this is starting to become less prevalent, I believe there are still niches in security where this is either in full-force or starting to become more so.

Fast forward to the present. In the last few weeks I've been building my new work computer while analyzing malware as I get the time. Unfortunately, I do not have all the tools I am used to since I'm waiting for things to be purchased, arrive, etc. This got me thinking - how much do I rely on tools? Could I perform the analysis I needed using that I know?

Now I realize that in information security, or IT in general, its almost impossible to do anything without having tools. Thats not my point - I'm not suggesting that we take away everyone's tools and tell them to analyze malware or perform a pen-test with nothing but a blank OS. Is it possible? I'm sure it is. Would anyone want to? Hell no!

My point was that you never really know how good you are, until you are faced with a situation when you are taken out of your comfort zone and have to rely upon your knowledge and the tools available to you at the moment. I don't always have access to a commercial version of IDA Pro. Does that mean I can't disassemble malware and analyze it? No - I just need to be flexible, use tools that I'm not as used to and use my brain just a little bit more.

I think its a useful exercise in anyone's career to do this. Imagine for a moment that you didn't have the tool(s) you use most in your job - how would you perform your job? What alternatives are available to you and how familiar you are with them? I'm as guilty as anyone else for relying upon specific tools, but this little exercise has helped me look and see where my weak areas are and how I can supplement them.

Perhaps I should have instead tweeted "Want to find out how good you are? Take away all your tools and say, Now do it." That seems to fit my point better.

Wednesday, November 2, 2011

Answers to the NEOISF Crypto Challenge

If you were at the 2011 Information Security Summit last week, you may have come across the Northeast Ohio Information Security Forum's booth and saw the crypto challenge I created for it.

The challenge was a series of three encoded messages, each more difficult than the last. It seemed to be popular as I had printed off 50 copies of the challenge and they were all gone by Friday morning. Only 2 people, that I know of, finished it (although more may have and just not told me).

The first encoded message was:
Olgrf Rapelcgrq Ner Yrff Rnfl!
This was a ROT13 message that when decoded changed to:
Bytes Encrypted Are Less Easy!
The second message was a bit harder.

Tymxmu Svpvwmeh sg xhp fpskwiu ms elf oej

To make it a little easier, a hint was given to use the first letter of every word from the first solution as the key. This was actually another hint that a key was even required to decode the message. The original message had been encrypted using a Vignere Cipher. Decrypting the message, using the key "BEALE" would produce the following message:
Summit Overview of the booklet is the key
The final puzzle was the hardest of all. The encoded message was:

10 11 32 35 177 42 50 54 44 50 42 82 132 71 100 157 54 60 147 66 50 193 3 60 81 100 157 75 36 106

The hint for this puzzle was "Items from the first two solutions will help you figure this one out!" Each of the first two solutions gave some type of clue as to the cipher used for the last one. The first puzzle's hint was the key for the second puzzle: BEALE.

If anyone searched for BEALE, they would have eventually come across the Beale Ciphers, encoded messages that supposedly point to buried treasure. The only message successfully decoded thus far used the Declaration of Independence as a key. To decode it, you find the word corresponding to the number you are given and take its first letter. IE. If you have a 10, find the 10th word and use its first letter. When you put all of these together you get the decoded message.

This is what you would have to do in order to solve the third puzzle. But what book do you use to decipher it? That is where the answer to the second message comes in. The solutions tells you to use the welcome page in the information security summit booklet. By taking the first letter of each word of the corresponding number, you would eventually get the following message:
now there are no more secrets for you

I hope that those who did this found it fun. I'd love to do another next year, but on a bigger scale. If anyone has any suggestions, I'd love to hear them!

Friday, August 19, 2011

Malware Analysis and Malicious Document Analysis Training Courses

This is a totally self-serving, marketing post. Feel free to click that little X in the upper right corner of your browser.

The Ohio Information Security Summit is coming up again from October 27-28 The conference agenda is starting to fill in and lots of great talks look to be scheduled! I will be speaking there with Greg Feezel and the NE Ohio Honeynet Project.

There will also be pre-conference training from October 24-26. There are more classes this year than last year, many of which look great!

I will be giving my 2-day hands-on Malware Analysis training course again this year. It is a 2-day course that covers the basics of malware analysis. The training is geared towards those who have never done, or performed very little, malware analysis. Plus, if you take the 2-day course, you'll get into my new 1-day Malicious Document course for free!

The Malicious Document training course I am doing for the first time this year will cover how to analyze malicious documents (duh). Specifically, I will cover malicious JavaScript, PDFs and touch on malicious Word documents. This is a 1 day course where the students will be very hands-on - analyzing malicious documents from the wild.

If you have any questions on the courses, please feel free to contact me!

Thursday, May 12, 2011

Proactive Incident Response

A little while ago Harlan Carvey posted on Proactive Incident Response. I've been thinking about this for a while, but have a different perspective on Proactive IR than he does. (I agree with his take on it, I just look at Proactive IR differently.)

Computer Incident Response Teams (CIRTs) are often referred to as fire fighters. This analogy is very true - most of the time CIRTs are fighting fires; the fire being a hacked server, a malware outbreak or a targeted phishing campaign. We're often jumping from one problem to the next, determining who got in, how they did it, what damage they caused and how to prevent it in the future. However, is that all CIRTs should be doing?

The CERT Handbook for Computer Incident Response Teams states that CIRTs should offer three different services: reactive, proactive and security quality management services. Reactive services are the fire fighting done on a daily basis. Security quality management services include project and security consulting for other business units; you know, those meetings you get pulled into where they ask you what you think. What about proactive services?

If we look back at actual fire fighters, we see that they don't just spend their time putting out fires. One of their duties is to help fire prevention through education and fire inspections. In the security world, this is analogous to doing user education, vulnerability scanning and penetration tests. This is what proactive services are. But I believe these is another aspect of proactive services that CIRTs tend to miss.

One of my co-workers has coined a term: hunting trips. This basically boils down to proactively looking around the interwebs for attackers you've seen in the past. Since attackers tend to use the same, or similar tools and tactics, indicators of their compromises in other organizations appear if you know where to look. You can then use the new indicators you've just found to check for signs of compromise in your network.

Where can you look? Anywhere that information on security analysis can be found. This includes blogs, twitter, forums, online sandboxes, AV signature descriptions, etc. All of these places (and more) have information you can use to tie attackers to new attacks and malware they are using.

Of course, I wouldn't recommend hand-searching each of these places for information. Google is the obvious place to start, but be prepared to get back hundreds of results (at best) that are not of interest to you. I would recommend using the Google Malware Analysis Search, created by those behind the Hooked on Mnemonics Worked for Me blog, that narrows Google's search to 75 different security sites and feeds.

So, an example so this might actually make sense. In the last few days there has been an uptick in spammed emails that contain a link to a zip file named Within this file is a SpyEye trojan. Analysis of the trojan shows that it drops itself as c:\recycle.bin\recycle.bin.exe (which to my knowledge is not a default location for SpyEye). This location is fairly unusual and can be a good indicator to use on a hunting trip.

Using the Google Malware Analysis custom search to look for "recycle.bin.exe", we come across a ThreatExpert report from March 2011 for the same filename being dropped for a SpyEye trojan. The TE report also shows that it attempts to contact for its C&C server. We now have a new indicator to search our network for and to go hunting with.

This is a very simple scenario, but demonstrates the usefulness of performing information gathering to find additional indicators. I have a feeling most CIRTs are not doing this and would benefit greatly from setting aside time to make sure this is done.

Thursday, January 20, 2011

Wanna be a mule?

Its been a while since I've posted and I apologize. As things get busy I find I have less time to post on there. However, one of my new year's goals is to post more so there should be more in the coming weeks.

I received an email today from my mother who received an email for a job and wanted to know if its legit. After skimming it my alarms went off and were soon verified. To be honest, I've always heard about money mule job requests but have never seen one so I found it interesting.

I'm currently trying to get mail headers to see where it actually came from. It is nice to know they offer insurance and a 401K. :)

From: "Ella D Dickinson"
Subject: RE: [1] Message from Careerbuilder: You have received a new job opportunity
Date: Wed, 19 Jan 2011 23:49:34 -0000


Please allow me to introduce myself: my name is Ella D. Dickinson and I am the International Human Resource Manager of Medline Financial Industries PLC I am pleased to inform you that we have an open position for you within our company.

Medline Financial Industries PLC was founded in 1980 and has quickly grown to be one of the largest resellers of medical equipment and apparatus in the United Kingdom as well as in the rest of Europe. We work exclusively with hospitals and other medical companies and groups supplying several hundred types of products ranging from surgical needles and syringes to EKG and MRI machines and everything in between. We have dozens of agreements and contracts with top manufacturers around the world such as GE Healthcare, Medtronic, Baxter International, Cardinal Health, Tyco Healthcare, Siemens Medical Solutions, Philips Medical Systems, Zimmer Holdings, et cetera. Our company has grown very fast during the last few years so now we have expanded our market and business to the United States as well. As such we have a big number of openings in almost every state and we are looking for dedicated and hard working individuals to work for us and help us expand.

The reason for our success is the fact that we are able to meet our customer's demands wherever and whenever. We are very flexible and we can honor our orders when others cannot. This is due to the fact that we accept almost any type of payments and we have a very fast delivery system which combined with the great customer support we provide took us to where we are today. We take great pride in what we do because it is not always easy to satisfy all customer demands while still processing the orders very fast and receiving payments for the products in a timely manner. This is why we need you and bellow you will find the job description and what is asked of you.


-While performing this job you will encounter no fees to be paid in advance whatsoever;
-No employee from our company will ever ask you for any sensitive information;
-You will not be involved in any contact with our customers;
-Everything you will do is legal under the European Union/United States and International laws as they are currently applied.

Your duties are:

1. Receive payment from our customers. All check will be write in your name. All checks are US checks, no international. You wil receive all checks via USPS (no signature required).
2. Cashing the checks at your existing bank account.
3. Deduct 10% which will be your percentage/pay on each payment processed.
4. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment to. (Payment is to be forwarded by Western Union Money Transfer).

Your benefits are:

-10% from each check your will process in the first month. Within one month after receiving the first check you will receive $1,000 as fixed salary. This is a commission based job, the faster your process orders the more your income will increase. This bonus is given to also cover internet, phone or gas bills. Please note that this salary will be sent after 30 days have passed since you received your first payment to process.

After two months of working for us an increase to 15% commission from all payments might be applied to your contract if you process and send all the transfers to us in a timely manner. In this case you will be earning around $1,200-1,300 per week as well as the $1,000 salary at the end of the month.

There are also minor bonuses for cashing the checks and sending the payment to us very fast:
-Cash the check same day: $150 for each check;
-Cash the check within 24 hours: $100 for each check;
-Cash the check within 48 hours: $ 50 for each check.

The $1,000 salary will be sent to you in form of a cashier check.

The today's situation on the financial market requires us to open and fill several of these job positions within our company; the job opening is that of a Representative within the US. This opening will help our company to reduce the time it takes to receive funding from orders that we receive each month. And we offer you one of the highest incomes on the market today and the minimal expenditures of time.

Presently with the number of orders we have we cannot put them on hold for fear of losing our customers, secondly we cannot cash these payments from the US soon enough, as international checks take about 28 working days to cash anywhere in Europe. We lose a lot of time and money each month because we have money transfer delays. Our clients could pay us where we want by sending checks to an US address. What we need you to do is to provide us an address where you can receive our customer checks. We need someone who can receive the money through this method of payment. Regarding the check process all you have to do is to receive the checks our customers will send to your address, take them to your bank, cash them and send the remainder amount to us after deducting all fees incurred and your commission. All fees for transferring the funds will be supported from our share. Bonuses will apply for cashing checks within 24 hours upon receiving a check. You will always take your commission upfront.

We make direct contact for sales of products. Once orders are received and processed we deliver the product to our customer (usually through USPS). The customer receives and checks the product and proceeds to send the payment. We accept all forms of payment but most of our customers pay using Bank Checks and so to solve this problem and not lose any of our customers we have decided to open this new job position. This job is legal according to the U.S. legislation as it is today. Local money transfers take but a few hours, so it will give us a possibility to get customer's payment almost immediately.


For example you receive a check as payment for 3000.00 USD, you deduct your commission (10%): 300.00 USD and then send to us the balance: 2700.00 USD. In the first month you will receive around 15-20 orders under 3,000.00 USD to process and after checking your performance records during that first month the orders you will receive, may increase from 3,000.00 upwards to 6,000.00 USD. For example 20 transactions each around 3000.00 USD gives you a total income of 6,000.00 USD per month and after establishing a close co-operation with us you'll be able to operate with larger orders and you'll be able to earn more. You will also deduct fees that are related to this job (gasoline, western union fees, bank commissions, etc) from our balance, not from your commissions. At first the checks you will receive will vary from: $500.00 to $3,000.00. We will also send you a 1099 Form for tax deduction on
your part. Our payments will be issued out in your name and you can have them cashed in your existing bank account, we don't accept newly created bank accounts because it slows the cashing process. Deduct your percentage and forward the balance to the company attorney manager via a western union money transfer, the name will be given to you later after cashing a payment.

This job takes only 3-7 hours per week. You'll have a lot of free time for taking up another job; you'll get good income and a regular job. This job is very challenging and you should understand it. We are looking only for the employee who satisfies our requirements and will be an earnest assistant.

We have health insurance and the 401K retirement savings plan as well as all the other standard benefits that a major company usually provides. Unfortunately we can only start talking about this after the first month has passed since you're working for us. We consider the first month as a trial period. In any case you do not have to pay for anything in advance; there are no hidden costs for performing this job. Any fee you might encounter will be deducted from our share of the funds before you send it to us.

You will receive next instructions step by step.

Unfortunately we cannot setup any interviews now, as we do not have any representatives in US. We will be able to come to meet within the next few months when the new offices will be opened in your area!

Please let me know if you are still interested. Within 24 hours after we will receive this information we will forward you a copy of the contract you have to fill in, sign and e-mail back to us.

Ella D. Dickinson
Medline Financial Industries PLC
Euston Road, London, NW1
United Kingdom
FAX 011-44-132-656-8743