Silicon Shecky

Infosec Practitioner

Connect

Perfect Imperfection

By Leave a Comment

Taking a moment this week to look at something that hits us all, and affects our work. Perfection. Somewhere along the lines, we all want the perfect solution, the perfect answer, the perfect response. We strive to make no mistakes, see everything, and expect our solutions to do the same. There is nothing wrong with this as long as you keep perspective, otherwise this contributes to the mental health and stress crises that we see.

Think of this, the imperfections in the world are what allow us to strive forward. Without the mistakes, the imperfections, we would be living in a static, boring society. There would be no reason for us to worry about security, since it would already be perfect. There would also be nothing to learn from. See mistakes are fine, as long as you learn something from them. What we deem as failures are learning experiences and chances to move forward. We have to learn not to over stress ourselves about these things. The more we stress out the less efficient our minds become and the more we start feeling like imposters.

Maybe it is jsut time for all of us to take a step back. Maybe take a step forward. Then a step back, and another step forward and Cha-Cha our way. It would be a lot more fun and we won’t lose sight of the simple things hopefully.

ALPC Bug and Carbon Black Defense

By 1 Comment

So with the drop of the ALPC 0Day (as of writing this), I decided to test the PoC on a machine running CarbonBlack Defense to see if the company I work for would be protected.

I started out with the write up from DarthSidious and followed his instructions to test.

Basically it was, open Process Explorer, download the PoC from Github, open a command prompt and Notepad. Get the PID of Notepad from Process Explorer and then watch the spool service for sub-processes (namely CMD.exe running as system).

As you can see, if you look at DarthSidious’ post it looks almost the same. There is an extra line that says “Couldn’t create remote thread 5.” This is interesting, so lets look at process explorer. In the post from DarthSidious at this point there is a cmd.exe subprocess to spoolsv.exe that is running as user NT AUTHORITY\SYSTEM. If the inject worked, that should be the same case, but when I looked at the spoolsv.exe service I saw this:

No sub-processes. Looks completely normal.

At this point I double checked that I did everything the exact way the blog post said to, and I had, so I went into the CarbonBlack Defense Console and immediately saw the following:

I know, it doesn’t say a lot other than an attack was stopped. Still, it is a promising thing to look at when testing. Clicking on the link into the potential malware gave me the following though:

Ah Ha! it sees the PoC try to inject and hit a deny policy. So it did stop it, but lets look a little further into the information CB Defense gives us:

Here we can see the process layout and the injection dotted line from the PoC. The summary shows that the InjectDLL.exe is completely unknown and CarbonBlack stopped the injection process. If we go into the investigate area off the block notification we see the following:

The items I found interesting from all of this is not just the TTPs, but that is saw the full command line, and shows that it was trying to deliver and exploit as the attack stage. From here I could take the hashes put them up to Virus Total, manually enter them into any protection service and pass the information onward, not that it would protect you because any chance or different file trying to use the exploit will change the hash. The bigger deal to me is that it stopped the attack with no other information than it being an unknown file and it tried to inject code.

I would hope that other EDR products would wind up stopping this attack in a similar fashion. I don’t have others to test unfortunately though. Still, with all the issues I have had with CB Defense, it is nice to see it do its job.

R.E.S.P.E.C.T.

By Leave a Comment

“R E S P E C T! Find out what it means to me” – Aretha Franklin

The recently deceased Queen of Soul sang about Respect. Respect, something that should be given across the board, to everyone until they prove otherwise. Respect, which is one quality that makes people Rockstars in our industry. Respect, something that winds up lacking all too often.

There has been a <expletive> storm going on from Defcon and the hotels about security policies that have been put in place since the mass shooting last October. This has had to do with room checks and issues with them, especially for women. Now, I am not going ot get into it all, you can look up at Katie Moussouris’ Twiter timeline to get a full idea of the storm itself. The fact that this female in our industry, who is not just a “Rockstar” but a huge leader wound up having to argue with others in our industry about the fears and the way the room checks were handled shows a lot about us. It shows why there are movements to protect women, it shows why women do not want to go into our industry. If someone who should be respected and listened to has to put up so many explanations because people keep belittling her statements and not listening to her, imagine how the women who keep a low profile feel? The funny thing is that Katie (and the others) did not object to the room searches themselves, but the way they were handled, and the blind faith they were supposed to put into believing a stranger at their door (if they were not walked in on which has been documented also for both male and female attendees).

Let us frame this in another way. Think of the field we are in, and the red team tests that happen. Think of the social engineering. For that matter, look up the show on Nation Geographic which featured Jayson Street performing social engineering in Lebanon. He walks into banks, no ID needed just saying that he is from X and needs to check X on their computers. Physical pen test complete. We can sit back and listen to his stories from other engagements he has been on and shake our heads at why people are so trusting without ID, and yet we turned around when women in our field that know this and were trying to verify that strangers were who they said they were (possibly hotel security), and felt threatened and uncomfortable, and tell them they were wrong to feel threatened? Look at this information from the National Sexual Violence Resource Center:

 

  • One in five women and one in 71 men will be raped at some point in their lives
  • In the U.S., one in three women and one in six men experienced some form of contact sexual violence in their lifetime
  • 51.1% of female victims of rape reported being raped by an intimate partner and 40.8% by an acquaintance
  • 52.4% of male victims report being raped by an acquaintance and 15.1% by a stranger
  • Almost half (49.5%) of multiracial women and over 45% of American Indian/Alaska Native women were subjected to some form of contact sexual violence in their lifetime
  • 91% of victims of rape and sexual assault are female, and nine percent are male

We are supposed to be security experts. Yes our main area is that of 1s and 0s but that does not matter. Security is security. Katie had mentioned ways that the situation could have been avoided. Defcon’s organizers are investigating the situations with the hotels. Hopefully something good will come of this in the end, but the lack of trust in fellow information security practitioners is not going to be easily fixed. Those that lashed out at the people complaining about the way these checks were handled might not care about the trust they lost, but I do, because that reflects on our “community” as a whole. It shows that we are not as welcoming as we think. We have a long way to go. We need to learn from this, and fast.