Sunday, November 23, 2014

Flare-on update

I made it to the sixth piece of the Flare-on challenge before life kept breaking up work on it into 20 minute blocks. Things to learn before I could do it: my copy of IDA 6.1 can't create signatures for x64 binaries, what a static linked/stripped ELF is, how to identify syscalls, and how to manually map the LibC source onto a static linked ELF.

Well, after accomplishing these steps I located the user code in challenge 6 and managed to quickly extract an apparently base64 encoded buffer. When I decoded it, I thought it was garbage. Fast forward over two weeks, turns out that was exactly correct. It is executable code though! OMG!

Hopefully these week I'll find time to see what the code does.

Wednesday, November 5, 2014

FLARE-on Challenges approximately seven hours in

I don't know how much I can say about the content of the FLARE-on challenges, and I wouldn't want to post spoilers anyway. Currently, I'm about seven hours of effort in and some of that was spent resurrecting an old virtual machine.

Five of the seven challenges down, I absolutely recommend these for anyone wanting to work their reversing chops. In presenting the challenge, Mike had claimed that you would see a whole gambit of reversing targets. He was not joking.
If you take on the challenge you might see malicious PDFs, .NET binaries, obfuscated PHP, Javascript, x86, x64, PE, ELF, Mach-O, and so on.
-Mike Sikorski-
I've so far been stumbled up by trying to work on x64s in a 32 bit VM, having the wrong version of .NET running in an internet-disconnected box, and needing to get an XP VM with the exactly right version of 3rd party exploitable software to capture a running exploit.

Good times! Let me end with this awesome screenshot from winning Challenge 5.

Saturday, November 1, 2014

FLARE On Challenge - first impressions

At the beginning of the week, FireEye released APT28: A Window Into Russia’s Cyber Espionage Operations. (PDF) Just like then-Mandiant's APT1 report from February 2013, this paper provides an incredible in-depth look at the world of nation state computer network operations (or hacking in media terms). Reading this report drove me to read up more on FireEye, which landed me on Mike Sikorski's June 2014 announcement of the FireEye Labs Advanced Reverse Engineering (FLARE) team.

The FLARE On Challenge

Along with the creation of the new team, Mike was also announcing a reversing challenge/ candidate screening: FLARE On Challenge. Now, the challenge has completed, but most of my hobbyist reversing tends to be attacking shareware protection so I figured I'd check it out.

Set up

First, it was time to dust off my virtual machines. Never execute reversing challenges, hack-mes, or live malware on your physical machine. That is just begging for a problem.
TERMS & CONDITIONS page of the challenge even includes a warning
I updated the tools in my 32 bit machine and executed file C1.exe. Which did nothing at all, the file is a 64 bit self extracting zip. So I do a quick scan of it in IDA64 and then run it... which just pops up a EULA, which is available online too. Oddly enough, I actually stopped to read it, which is what led to this blog. I was shocked by how odd it was so much that the EULA display is still up in that vm.
2. Restrictions.  Licensee will not allow any third party to): (i) reverse engineer or attempt to discover any source code or underlying ideas or algorithms of the Software
Emphasis is mine. Copying it to here caused me to re-read it and I now see that the EULA is forbidding me from allowing anyone else to reverse it, rather than forbidding me, but still. I was given a piece of software as an explicit reverse engineering challenge with a license that forbids me from allowing someone to reverse it?

Who Reads These Things Anyway?

I really doubt the intention of the EULA was actually to be read by the participants, rather it is a CYA popup so that the lawyers can point out that they had warned you. The warning being that it contains this gem:
4.   WARNING: (a) Dangerous Malicious Code - The Software contains dangerous malicious computer code that will cause damage to Your or others computers and/or networks if not used properly.  Licensor is not responsible for the misuse or accidental misuse of this Software and the End-User accepts all responsibility for any damage incurred by the End-User. (b) Safe Environment - The Software should not be run without a safe environment that can easily be restored to a prior state, such as a virtual machine.  The End-User agrees that in no case shall the Software be used by the End-User on production systems or systems that contain sensitive or valuable information. (c) Prohibition on Connecting this Software to the Internet - The End-User agrees that the Software will not be used on systems connected to the Internet due to the risks posed to the machine running the Software as well as the risks posed to the greater Internet.
Well. That is fun. Of course VMWare Player can't snapshot so this is going to require a bit more setup before I continue.

Monday, June 23, 2014

Restoring the Public Trust and Reforming the National Security Agency

Over the past year, there has been significant discussion in the media, amongst private circles, and even in the silence of the Intelligence Community about the revelations of Edward Snowden. Conversations about them have ebbed and flowed from whether the NSA was properly implementing the law, whether the law was properly scoped, whether the law was Constitutional... and so on and so on. This discussion was all focused around the Section 215 of the PATRIOT Act and FISA 702 data collection, which regrettably constituted a trivial sized minority of intelligence work and other internal documents compromised by the breach. I mention all this not because it is the basis of my current thoughts, but a vital piece of background that must be acknowledged.

Additional background necessary to the discussion is the past abuses of the intersection of law enforcement and intelligence. On the behalf of FBI, the NSA monitored international telegraph messages that entered or exited the United States, a project that was codenamed SHAMROCK. SHAMROCK was the continuation of a wartime censorship program that, when it was questioned, GEN Lew Allen, the Director of NSA, terminated it voluntarily. Another program from the same time was Project MINARET, in which the communications of “persons of interest” were monitored. Initially these persons were risks to the safety of the President following the assassination of Kennedy, but then expanded into drug traffickers and eventually into domestic dissidents. Rather than be deeply buried, this background information is publicly available from NSA itself. I first learned of these two cases from the baseline oversight training that NSA makes its employees take every single year.

Nationally, we all benefit from the work of the NSA in many ways. Not greatest among their responsibilities, though most controversial, is support to law enforcement, including counter terrorism. This is the relationship that makes the efforts of those hard workers potentially dangerous to the American citizen. It is such a minor aspect of the impact of NSA that we must be careful about how we proceed, lest we discard the valuable intelligence baby with the privacy risk bathwater. Effective intelligence is vital for our legislators and other policy makers, but it doesn't have to come at the cost of citizen privacy.

To have situational awareness about global militaries, militias, governments, and negotiations, the United States requires a significant infrastructure to support such generation of signals intelligence (SIGINT). That SIGINT infrastructure provides vast opportunities for abuse if it were to be misused against the American populace. As such, it is of vital importance that misuse and abuse be pro-actively prevented and the American populace sufficiently reassured of their safety from it. Two of the current missions of the NSA must be ended: support to law enforcement and counter terrorism. If any SIGINT is actionable against United States citizens, in any manner, then the entire infrastructure poses a real, potential threat to the American populace.

To continue the critically important contributions of the National Security Agency through the 21st century requires the trust and support of the American populace. Because of the increasingly intertwined nature of foreign intelligence related and civilian communications, the use of non-warrant collected data in any court, hearing, arbitration, or the like fundamentally compromises the Constitutional authorization of signals intelligence. Only by explicitly guaranteeing the invalidity of non-warrant collected signals evidence in all American jurisdictions, at every level, for all regulatory and law enforcement purposes can signals intelligence successfully continue into the future.

Unlike the Cold War, American communications travel over the same links as foreign communications. This causes a dilemma for intelligence generation as it means that when foreign communications are recorded, domestic communications may be recorded incidentally. Without an explicit law forbidding any evidentiary use, then the incidental recording of American communications is a danger to citizen liberty. By disconnecting intelligence and all sorts of law or regulatory enforcement, the American people could authorize deeper data analysis for intelligence. Important diplomatic, military, and policy making discoveries could be made such as robust cyber-intrusion attribution and tracking. Such important protective measures will never, and should never, be allowed if the data can be scanned for or used as evidence of crime. The situational awareness provided to legislators and policy makers lead to better, more accurate laws and regulations, even if the data itself is “worthless.”

By: Matthew Molyett
Matthew is a former NSA Cryptologic Computer Scientist and current Congressional Candidate for the 3rd Maryland seat. While employed for the government, he experienced the extensive training on NSA authorities and oversight, as well as the responsibilities placed upon affiliates to comply. The bulk of his activities consisted of performing direct malware analysis through sophisticated reverse engineering techniques and built explicit adversary knowledge through supporting investigations/operations and by collaborating with analysts across the organization. Matthew documented malware findings in technical reporting to enhance a common understanding of an intruder's techniques, tactics, and procedures for the purpose of discovery, mitigation, and exploration. This specifically included developing signatures to detect and mitigate adversary threats to U.S. Information systems.

cross posted from

Wednesday, January 1, 2014

2014: The year in which I...

I am starting on a whole new adventure, one in which I will utilize my cybersecurity background and experience. It is a radically different direction than previously travelled and so this blog will go silent for a while.

Thank you, dear readers. I appreciate the thousands of page views on my thoughts and school work. I will likely be taking 2014 off from school work while pursuing this adventure. Happy new year, a year in which you should also try something new.