Siko’s Computer Security Safety Tips

Working in the computer security industry is challenging – especially when you get questions from friends and family asking for computer security advice :). I was recently asked “How do I make my computer impenetrable?”. I responded with “It is impossible to make a computer impenetrable unless you unplug it, pull out the battery, and put 5 nails through the hard drive.”

I ended up thinking about how to respond more reasonably and came up with a list of pro-tips for someone naive in this arena – like my mother. I am posting this to our blog so that I can easily reference it in the future. Plus, I thought you might find it useful for your mother, sister or father’s brother’s nephew’s cousin’s former roommate!!

1. Be Careful – If you get an email and you don’t know the sender then don’t click the link or open the attachment. If you get an email from a friend with an attachment or link, then only open it if you expected them to send it. Don’t install random software from random places on the Internet. Downloading “attractive” software that you don’t absolutely need may come packaged with spyware. People opening or installing things they shouldn’t is one of the biggest problems in information security.

2. Install Updates and Use the Latest Software – Make sure you keep your software up to date. If Microsoft Windows wants to install updates then let it happen (this happens every Tuesday). If iTunes or Adobe needs to update, then make sure you get the latest version. These updates often contain fixes for bugs and vulnerabilities. Also use the newest version of software whenever possible. Newer software has mitigations and is often more secure than older versions.

3. Passwords – Don’t use simple passwords. Don’t use the same password at multiple sites. Don’t share accounts with others. Instead use a tool like 1Password, Keepass, or Lastpass to manage your passwords. Have those tools randomly generate long passwords for you automatically.

4. Two-Factor Authentication – This is a process of involving a 2nd stage of verification when logging in. This typically means you provide a username/password, and then a unique code that is provided to you by an application on your phone. This is very secure because an attacker would need your password and access to your phone. Google, Twitter, Facebook, Amazon, and many more already allow you to log in this way.

5. Encryption – Always perform full disk encryption of all computers, laptops, tablets, and mobile devices. That way if the device is stolen then the information will not be compromised. Also encrypt any data you care about and decrypt it as you need to access and use it. Consider a free tool like Truecrypt for solving this on a PC.

6. Perform Backups – Backup your important data often. Apple, Microsoft, and Chromebooks have programs that do this automatically. Malware can delete or encrypt your files holding them for ransom. Your system can crash. Make sure you have a backup, so that you can restore your data easily.

7. Protect Your Cell Phone – Pay attention to the permissions that an application is requesting before installing it and consider whether it’s reasonable for the application to require those permissions. Use a lock screen to ensure someone can’t impersonate you if you lose your phone.

8. Use Less Common Software – Use software that attackers target less. For example, the Google Chrome browser on Mac is much less targeted than Internet Explorer browser on Windows 7.

9. Anti-Virus – Anti-virus protects you from many threats, although certainly not all of them. I personally don’t run AV because of how much malware I handle. If you aren’t handling malware, then run AV and turn it on fully, so all of the auto-scanning and IPS features are running.

10. Don’t Run as Administrator – Run as a non-administrative user on your system. If you run as admin malware can more easily perform its malicious activities.

11. Segmentation – Don’t plug your computer directly into the Internet or modem. Instead, make sure you connect to a firewall or router that is plugged into your connection out to the Internet. Everyone with a Wifi access point already has this in place.

12. Virtual Machines – Use Virtual Machines like VMware Fusion or Workstation when performing tasks that might endanger your machine (like browsing pornographic or malicious websites by choice). By using a virtual machine, you can isolate any infections and then just wipe or reset the virtual machine when you are done.

10 days in the desert – Black Hat and DEFCON bound

I’m excited for my annual 10-day trip to Las Vegas for these big security conferences. Andy and I have a lot of cool events, including the chance for you to WIN A FREE VIP DINNER, so read on:

1. Mandiant is sponsoring a FREE book signing on Wed & Thurs July 25 & 26 from 1-2PM at Black Hat, this will take place in the Trevi Room, Caesars Palace (adjacent to the exhibit hall, Octavius Ballroom). First come, First served, so get there early because they’ll go fast and we’re limited.

2. WIN A FREE VIP DINNER at Bobby Flay’s Mesa Grill with Andy and I on Wednesday night by being on of the first 5 people in line at the book signing on Wednesday July 25. Get there early, because this is going to be a fun time at a great restaurant. (Note: if you aren’t one of the first 5 you’ll still get a free book until they run out).

3. Andy is releasing FakeNet 1.0 at the Black Hat Tool Arsenal from 11:45am-12:45pm on Wed and Thurs July 25 & 26. Stop by and check out the tool.

4. No Starch Press is holding a Defcon book signing for us on Friday July 27 at 4pm at the Rio. This will be at the No Starch Press booth, so bring your book or buy a discounted one at the NSP booth at the signing.

5. Mandiant is holding their always fun party at the Shadow Bar starting at 7pm on Tuesday 7/24 at the Shadow Bar in Caesar’s Palace. Make sure you register to attend . I’ll be hanging out at this party, so join me for a free drink.

6. I’ll be teaching a sold out 4-day Malware Analysis class at Black Hat on Saturday through Tuesday (7/21-7/24)

We look forward to seeing you in Vegas!

Buster Sandbox Analyzer adds support for FakeNet

Good news, Buster Sandbox Analyzer (BSA) has just added support for FakeNet.  For those of you not familiar, BSA is a tool that can be used to automatically analyze the behavior of processes and the changes made to system and then evaluate if they are malicious. This fully automates all of the basic dynamic analysis you typically perform. Full details and a download of BSA can be found here. BSA works with Sandboxie. Sandboxie is a program that runs programs in an isolated environment to prevent them from making permanent changes to your system. Sandboxie was designed to allow secure web browsing, but its sandbox aspect makes it useful for malware analysis. For example, you can use it to capture filesystem and registry accesses of the program you are sandboxing. Buster Sandbox Analyzer (BSA) interfaces with Sandboxie to provide automated analysis and reporting.

Continue reading

Using public DNS servers to bypass DNS filtering

The other day I was looking at some malware that was interesting because it employed a strategy that allowed it to avoid a hard-coded IP address for the callback domain without being susceptible to DNS filtering.  The program would first attempt to resolve the malicious domain name using the host’s built in DNS resolution, but if that failed the host would then open a UDP connection on port 53 to a public DNS server and resolve the host directly.  Read on for more details.

Continue reading

FakeNet Update

We’re releasing an update to the FakeNet tool to version 0.91 which can be downloaded here.  The following improvements have been made:

  • The dummy listener that listens on all ports now automatically detects SSL and if the connection is SSL it will decrypt the content and display it to the user.  This is very useful for when malware uses SSL to encrypt traffic to an unusual port.
  • Python is loaded dynamically so that if Python fails to load because the user does not have the Visual Studio redistributables the program will continue to execute without Python support.
  • The NXDomain feature has been added to the DNS server to return a domain not found message for the first n times that a domain is requested.  This is very useful is determining if a malware sample calls out to more than one domain if the first domain is blocked.
  • An option to output the text that is sent to the console to a text file as well.  Several users have asked for this feature.
  • Improvement in the generated .pcap file.  Some other programs were having trouble parsing the pcap data because the source and destination address were the same.  To resolve this one end of the connection is recorded as and the other end is recorded as  Additional TCP handshakes have been added to the packet recpature.

As usual we welcome feedback that could be used to improve the quality of this tool.

Book Signing at SOURCE Boston

I will be signing books at SOURCE Boston.  Mandiant has kindly agreed to sponsor the event.  The first 20 people to stop by the Mandiant table on Tuesday, April 17th from 4:00 to 4:30pm will receive a FREE copy of Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software.  If you don’t make it on Tuesday, don’t worry!  I’ll do it all over again on Wednesday, April 18th from 5:30 to 6:30pm.

Already own a copy? Stop by and say hello.  I would love to hear your feedback and I would be glad to answer any questions you may have.

Book Review: A Bug Hunter’s Diary

This was a fun and fast (<150 pages) read. It was a good book for me to read on vacation because you can read it a chapter at a time. Each chapter is an independent story taking you through the journey of finding a single software vulnerability. The author, Tobias Klein, is someone whom I was already familiar with by his website and we even reference his tool ScoopyNG in Chapter 17 of PMA.

For someone new to and interested in finding vulns, reading this will help you identify your gaps really quickly and also tell you if you are going to enjoy this type of work. If you aren’t very excited by the content, then trust me, you don’t want to be an exploit developer. You really need a background in programming and vulnerabilities to comprehend everything in this book. The appendix doesn’t cover enough for a beginner. Having a couple pages on defining a buffer overflow or type conversion error is enough to refresh someone who has done this before, but not enough to teach someone new to the material. The good thing is that if you want to be good at malware analysis you need the same solid C background that you will need to read this book. Long story short – learn C if you want to reverse or bug hunt!

Continue reading

All About EBP

EBP was designed to provide a “Base Pointer” for the current function so that all parameters and local variables would be at a fixed offset from the base pointer even as the stack pointer moved with push and pop instructions.  This made it easier to generate assembly and was very beneficial for debugging because it made it easier to trace backwards up the stack and see what path of function calls led to the current instruction.  However, due to compiler improvements EBP is used less often so back tracing up the stack is more difficult.

Continue reading

Decorating Your Disassembly

When reviewing disassembly, some instructions are more important than others.  You can use a simple script to color instructions that you’re interested in and make them stick out.  You can use either IDAPython or IDC scripts to make color the interesting instructions.  Most professionals use IDAPython for their scripting, but I’ll talk about IDC because it’s available in the free version of IDAPro and I suspect some of our readers are just flirting with malware analysis and haven’t purchased the full version (also because I have an irrational bias against python).  The most important instruction that I like to highlight is the call instructions, but I also highlight instructions commonly used for data encoding (non-zeroing XORs), anti-VM (sidt, sgdt, str, etc), and anti-debugging (int 3, rdtsc, etc).  This makes it easier to locate more interesting code during disassembly.

Continue reading