November 26, 2018

How to Protect Yourself When Shopping Online

Image credit: Pexels
Online shopping safety is a pressing issue for both consumers and business users, especially in the holiday season. As customers flock to online stores to cross off their Christmas wish-lists, cyber criminals look to take advantage of the high traffic and customers looking for the best deal.

Always remember, the Internet is not a governed, safe environment. It’s the wild west. There really are no guarantees to security when shopping online and even big companies can be affected by security vulnerabilities. This blog covers some of the greatest security risks this Christmas season, and gives practical tips to help you shop safely online this year.

November 23, 2018

What We Have Learned About Intel ME Security In Recent Years: 7 Facts About The Mysterious Subsystem

Image: Unsplash
Intel ME has captured the attention of researchers during the last years. There is an air of mystery about the technology. Although it has access to virtually all the data on the computer, and hackers can get total control over the machine if they manage to compromise Intel ME, there are no official documents or guides regarding its use. That is why researchers from all over the world have to deal with the technology on their own.

We have studied Intel ME over the last years, and here is what we have found about this mysterious subsystem so far.

October 15, 2018

Modernizing IDA Pro: how to make processor module glitches go away

Hi there,

This is my latest article on a topic near and dear to my heart: making IDA Pro more modern and, well, better.

Those familiar with IDA Pro probably know that feeling: there are glitches in the processor modules that you use, you don't have the source code, and they are driving you crazy! Unfortunately, not all of the glitches discussed here qualify as bugs, meaning that the developers are unlikely to ever fix them—unless you fix them yourself.

October 11, 2018

Advanced attacks on Microsoft Active Directory: detection and mitigation

Attacks on Microsoft Active Directory have been a recurrent topic of reports on Black Hat and Defcon during the last four years. Speakers tell about new vectors, share their inventions, and give recommendations on detection and avoidance of these vectors. I believe that the IT department is capable of creating a secure infrastructure, which can be monitored by the security department. High-quality monitoring, in its turn, requires good tools. That's like a military base: you have erected guard towers around the perimeter but still keep watch over the area.

How STACKLEAK improves Linux kernel security

STACKLEAK is a Linux kernel security feature initially developed by Grsecurity/PaX. I'm working on introducing STACKLEAK into the Linux kernel mainline. This article describes the inner workings of this security feature and why the vanilla kernel needs it.

In short, STACKLEAK is needed because it mitigates several types of Linux kernel vulnerabilities, by:

  •  Reducing the information that can be revealed to an attacker by kernel stack leak bugs,
  •  Blocking some uninitialized stack variable attacks,
  •  Detecting kernel stack overflow during Stack Clash attack against Linux Kernel.

This security feature fits the mission of the Kernel Self Protection Project (KSPP): security is more than just fixing bugs. Fixing absolutely all bugs is impossible, which is why the Linux kernel has to fail safely in case of an error or vulnerability exploitation. More details about KSPP are available on its wiki.

STACKLEAK was initially developed by the PaX Team, going as PAX_MEMORY_STACKLEAK in the Grsecurity/PaX patch. But this patch is no longer freely available to the Linux kernel community. So I took its last public version for the 4.9 kernel (April 2017) and got to work. The plan has been as follows:

  • First extract STACKLEAK from the Grsecurity/PaX patch.
  • Then carefully study the code and create a new patch.
  • Send the result to the Linux kernel mailing list (LKML), get feedback, make improvements, and repeat until the code is accepted into the mainline.

As of October 9, 2018, the 15th version of the STACKLEAK patch series has been submitted. It contains the common code and x86_64/x86_32 support. The arm64 support developed by Laura Abbott from Red Hat has already been merged into mainline kernel v4.19.

October 2, 2018

Intel ME Manufacturing Mode: obscured dangers and their relationship to Apple MacBook vulnerability CVE-2018-4251

The weakness of "security through obscurity" is so well known as to be obvious. Yet major hardware manufacturers, citing the need to protect intellectual property, often require a non-disclosure agreement (NDA) before allowing access to technical documentation. The situation has become even more difficult with the growing intricacy of chip designs and integration of proprietary firmware. Such obstacles make it nearly impossible for independent researchers to analyze the security of these platforms. As a result, both ordinary users and hardware manufacturers lose out.

One example is Intel Management Engine (Intel ME), including its server (Intel SPS) and mobile (Intel TXE) versions (for background on Intel ME, we recommend consulting  [5] and [6]). In this article, we will describe how undocumented commands (although "undocumented" applies to practically everything about Intel ME) enable overwriting SPI flash memory and implementing the doomsday scenario: local exploitation of an ME vulnerability (INTEL-SA-00086). At the root of this problem is an undocumented Intel ME mode, specifically, Manufacturing Mode.

September 28, 2018

How we developed the NIOS II processor module for IDA Pro


IDA Pro has a well-earned place in the toolkit of security researchers worldwide. We at Positive Technologies are no exception. In fact, we like it so much that we developed a disassembler processor module for the NIOS II architecture to make analyzing code faster and more convenient.

Here I will give a brief history of the project and share what exactly it is that we created.

September 12, 2018

Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys

Image credit: Unsplash
Intel has issued a patch in response to a serious vulnerability in Intel ME firmware discovered by Positive Technologies expert Dmitry Sklyarov. The vulnerability involved security mechanisms in the MFS file system, which Intel ME uses to store data. By exploiting this flaw, attackers could manipulate the state of MFS and extract important secrets.

Intel ME (short for "Management Engine") stores data with the help of MFS (which likely stands for "ME File System"). MFS security mechanisms make heavy use of cryptographic keys. Keys differ in purpose (confidentiality vs. integrity) and degree of data sensitivity (Intel vs. non-Intel). The most sensitive data is protected by Intel Keys, with Non-Intel Keys used for everything else. So in total, four keys are used: Intel Integrity Key, Non-Intel Integrity Key, Intel Confidentiality Key, and Non-Intel Confidentiality Key.

August 27, 2018

Machine learning: good for security or a new threat?

Machine learning is no novelty anymore. On the contrary: every self-respecting startup feels compelled to apply machine learning in its offerings. The hunt for scarce developers has been superseded by a scramble for machine learning experts. Fortunately, many machine learning tasks are similar enough that it is possible to save time and money by using pre-trained models. Open-source models are also available free of charge. But does this all really work as well as it seems?

August 10, 2018

Low-level Hacking NCR ATM

Many of the systems that power the modern world are supposed to be beyond the reach of mere mortals. Developers naively assume that these systems will never give up their secrets to attackers and eagle-eyed researchers.

ATMs are a perfect case in point. Thefts with malware of the likes of Cutlet Maker, as well as unpublicized incidents when unknown attackers plugged in their laptop to an ATM and stole cash without leaving any system logs behind, confirm what the security community has long known. There is no such thing as a hack-proof system, merely one that has not been sufficiently tested.

July 30, 2018

Pegasus: analysis of network behavior

Source code for Pegasus, a banking Trojan, was recently published online. Although the Carbanak cybercrime gang was referenced in the archive name, researchers at Minerva Labs have shown that Pegasus actually is the handiwork of a different group known as Buhtrap (Ratopak). The archive contains an overview of the Trojan, its source code, description Russian banking procedures, and information on employees at a number of Russian banks.

The architecture of the Pegasus source code is rather interesting. Functionality is split among multiple modules, which are combined into a single binpack at compile time. During compilation, executables are signed with a certificate from the file tric.pfx, which is missing from the archive.

The network behavior of Pegasus is no less curious. After infection, Pegasus tries to spread within the domain and can act as a proxy to move data among systems, with the help of pipes and Mailslot transport. We focused on the unique aspects of the malware's network behavior and quickly added detection signatures to PT Network Attack Discovery. Thanks to this, all users of PT NAD can quickly detect this Trojan and its modifications on their own networks. In this article, I will describe how Pegasus spreads on a network and how copies of Pegasus communicate with each other.

July 18, 2018

Intel patches new ME vulnerabilities

In early July, Intel issued security advisories SA-00112 and SA-00118 regarding fixes for vulnerabilities in Intel Management Engine. Both advisories describe vulnerabilities with which an attacker could execute arbitrary code on the Minute IA PCH microcontroller.

The vulnerabilities are similar to ones previously discovered by Positive Technologies security experts last November (SA-00086). But that was not the end of the story, as Intel has now released fixes for additional vulnerabilities in ME.

June 14, 2018

Apple fixed firmware vulnerability found by Positive Technologies

The vulnerability allowed exploiting a critical flaw in Intel Management Engine and still can be present in equipment of vendors that use Intel processors.

Apple released an update for macOS High Sierra 10.13.4, which fixes the firmware vulnerability CVE-2018-4251 found by Positive Technologies experts Maxim Goryachy and Mark Ermolov. For more details, see Apple Support.

May 11, 2018

Take Part in PHDays 8 Online CTF

Positive Hack Days 8 will start in a couple of days, and we have lots of exciting stuff not only for participants who will visit the event at the venue. Two online contests (HackQuest and Competitive Intelligence) have already been finished, but we have more to come.

Starting from May 15 and until May 22, PHDays online CTF will take place. Everyone can participate, challenges vary in difficulty, and are mainly aimed at beginners, but skilled professionals will find it interesting as well.

April 4, 2018

Is your Mobile API under silent attack?

How well protected are your mobile apps? Pretty Secure? What about the mobile API they rely on? This could be the weakest link in 's AppSec armor. Data from Positive Technologies’ customers suggests as much as 15% of all traffic to the average mobile API comes from illegitimate sources.

March 19, 2018

We need to talk about IDS signatures

The names Snort and Suricata are known to all who work in the field of network security. WAF and IDS are two classes of security systems that analyze network traffic, parse top-level protocols, and signal the presence of malicious or unwanted network activity. Whereas WAF helps web servers detect and avoid attacks targeted only at them, IDS detects attacks in all network traffic.

Many companies install an IDS to control traffic inside the corporate network. The DPI mechanism lets them collect traffic streams, peer inside packets at the IP, HTTP, DCE/RPC, and other levels, and identify both the exploitation of vulnerabilities and network activity by malware.

At the heart of both systems are signature sets used for detecting known attacks, developed by network security experts and companies worldwide.
We at the @attackdetection team also develop signatures to detect network attacks and malicious activity. Later on in the article, we'll discuss a new approach we discovered that disrupts the operation of Suricata IDS systems, and then hides all trace of such activity.

March 13, 2018

How to assemble a GSM phone based on SDR

The smartphones so familiar to most of us contain an entire communication module separate from the main CPU. This module is what makes a "smartphone" a "phone." Regardless of whether the phone's user-facing operating system is Android or iOS, the module usually runs a proprietary closed-source operating system and handles all voice calls, SMS messages, and mobile Internet traffic.

Of course, open-source projects are more interesting to security researchers than closed-source ones. The ability to look under the hood and see how a particular program component works makes it possible to find and fix errors, plus verify that undocumented functionality is not present. As a pleasant bonus, access to source code helps novice developers to learn from colleagues and make contributions of their own.

March 5, 2018

The First Rule of Mobile World Congress Is: You Do Not Show Anyone Your Mobile World Congress Badge

The biggest event of the telecom industry attracted particularly wide media coverage this year: the King of Spain personally arrived in Barcelona for the opening of the annual Mobile World Congress (MWC 2018), which caused a wave of protests by supporters of the region's independence from Madrid. As a result, newspaper front pages and TV channel prime time are all taken by high tech and telecom innovations against the backdrop of protesting crowds. And it is recommended that all participants and visitors to the Congress should not wear a badge outside the venue for greater security.

February 22, 2018

New bypass and protection techniques for ASLR on Linux

By Ilya Smith (@blackzert), Positive Technologies researcher

0. Abstract

The Linux kernel is used on systems of all kinds throughout the world: servers, user workstations, mobile platforms (Android), and smart devices. Over the life of Linux, many new protection mechanisms have been added both to the kernel itself and to user applications. These mechanisms include address space layout randomization (ASLR) and stack canaries, which complicate attempts to exploit vulnerabilities in applications.

February 2, 2018

Apple fixes security hole in Intel ME discovered by Positive Technologies

Apple has released a security update for macOS High Sierra 10.13.2, macOS Sierra 10.12.6 and OS X El Capitan 10.11.6, that patches a vulnerability in Intel Management Engine found by Positive Technologies experts Mark Ermolov and Maxim Goryachy. Details are available in a security document on the Apple support website.

January 26, 2018

How to Hack a Turned-off Computer, or Running Unsigned Code in Intel ME

At the recent Black Hat Europe conference, Positive Technologies researchers Mark Ermolov and Maxim Goryachy spoke about the vulnerability in Intel Management Engine 11, which opens up access to most of the data and processes on the computer.

Such level of access also means that any attacker exploiting this vulnerability, once bypassed traditional software-based protection, will be able to conduct attacks even when the computer is turned off. New details of the study in our blog post.

January 22, 2018

MySQL grammar in ANTLR 4

The main purpose of a web application firewall is to analyze and filter traffic relevant to an application or a class of applications, such as web applications or database management systems (DBMS). A firewall needs to speak the language of the application it is protecting. For a relational DBMS, the language in question will be an SQL dialect.

Let us assume that the task is to build a firewall to protect a DBMS. In this case, the firewall must recognize and analyze SQL statements in order to determine whether they comply with the security policy. The depth of analysis depends on the task required (for example, detection of SQL injection attacks, access control, or correlation of SQL and HTTP requests). In any case, the firewall must perform lexical, syntactic, and semantic analysis of SQL statements.