Sunday, August 30, 2009


It is curious that LogMeIn doesn't require a user to enter their LogMeIn profile information during installation... yet the installed client knows which account it is associated with.
This piqued my interest and I took a peek at the installer file. It seems that LogMeIn uses a VeriSign digitial certificate to encrypt information within the installer?

Saturday, August 22, 2009

Inside the mind of a botmaster

Eye-opening article about a botmaster. Freaked out yet?

Saturday, August 15, 2009

UPX discovery

Packers are tools used to compress executables to reduce their file size whilst retaining their executable property. Hackers harness packing as one of the numerous tricks to avoid detection. However, there are times when software authors pack their legitimate tools and thus not all packed executables are malware.
UPX is a popular packer. I packed several files with it and analysed them in a hex editor to try to discover patterns. Lo and behold... the tell-tale signs of a UPX packed file is the presence of UPX strings (ie. UPX0, UPX1 and UPX!).
Further investigation demonstrates that searching for UPX strings is not accurate because the UPX packed executables still function even if you change the UPX text. A reliable methodology of detecting packed executables is a tool called PEiD. It identifies UPX packed files by hexadecimal values.

Tuesday, August 11, 2009


I have been telling my network engineer friends for years that DDOSs are impossible to stop regardless of what anti-DDOS vendors tell you. I never believed that some magical algorithm can throttle the flood of network packets originating from a bot army of 10,000s. How do you withstand 30Gbps peak of traffic?

Sunday, August 9, 2009

Metadata extraction

Metadata analysis is not new. This topic was revisited at the recent Defcon. Chema Alonso and Jose Palazon presented a tool called FOCA.
I decided to give it a whirl. Performed metadata extraction against PDF files hosted on Splunk's website. Besides names of Splunk employees, nothing else interesting to discover.

Tested FOCA against the Central Narcotics Bureau's website. Shocker!!! Besides usernames used by CNB, I was able to acquire I/C numbers. I classify this leakage as a high risk considering that the government standardised citizens' login IDs by requiring them to use their respective I/C numbers to access all government websites.

Don't want to install the FOCA software on your machine? You can opt for the online version.

Tuesday, August 4, 2009

Basic malware analysis

Was reading the latest issue of Hakin9 magazine (4/2009). There is an article about harnessing music and videos to attack innocent parties. It struck me as strange that it never occurred to me to use a hex editor to analyse the malicious Mp3 file that I studied previously. Lo and behold! I found the URL that was triggered when victims try to play the fake song.

Monday, August 3, 2009

Clickjacking mitigated

Previously blogged about Clickjacking. Came across this new plugin called RequestPolicy that protects users against CSRF attacks. Decided to try it against the Zscaler Clickjacking demo. It works like a charm!!!
The high res version of this demo can be downloaded here.

NoScript is another tool to secure against Clickjacking. Neither are for n00bs though... it requires some knowledge to know what to configure.

Sunday, August 2, 2009

Security by obscurity?

Tired of remembering passwords? You can now "encrypt" files using an image instead of a password. PixelCryptor is a simple tool with an intuitive interface. You choose the file that you want to protect then the image you want to secure it with.

Original file versus the "encrypted" form. It seems to be "encrypted" but I'm sceptical because this tool does not seem to follow any industry standard encryption and does not provide information regarding its encryption methodology. The only hint of what transpires if this statement from their website.
"The pixel data is used to encrypt your data. The combinations are endless and hard to break."

Decided to run tests against PixelCryptor. I converted my original seed image from Jpg to Gif format to lose data. PixelCryptor allowed me to use the degraded image to "decrypt". Using a hex editor, it was discovered that the full contents of the original file could not be retrieved using the degraded image. This does imply that the tool truly uses pixel information to transform files.

I'm still sceptical about the viability of using images as the seed key. Imagine keeping important files "encrypted" on your flash drive... this would require the owner to store the necessary image to "decrypt" on the same drive and it will only be a matter of time before a malicious person who wants to access those said documents figuring out what to do.