29 January, 2010

這到底是不是故意貼出來炫耀的?

Standard

以下八卦由 j4ck 大大獨家提供。

NOSEC 官方有則來自某網誌對於 iiScan 的評價:

iiScan_news_from_japan_at_nosec.org

以下感謝網友智乃提供精闢的中文翻譯:

Invitation Code是必要的嗎? 在某ML流傳著某個傢伙已經使用完了
因為想用看看這個工具,所以想打聽看看
問問看的話會有怎樣嗎? 中國製的工具之類的真的很可怕嗎?

Blog 文章的內容是某日人網友擔心中國製的都是黑心產品!

難道這位使用 root 帳號登錄的網站維護人員沒注意在看嗎?

我論漏洞挖掘的難度與態度

Standard
引用:中華電信:上週微軟漏洞 防毒軟體難偵測後門
所謂0day漏洞便是作業系統廠商尚未推出修補程式,在這次攻擊手法中,幾乎所有版本IE瀏覽器在攻擊發生時皆受影響,且經過測試各家防毒軟體的偵測能力,大部分防毒軟體皆無法偵測該植入的後門程式,對於使用者的威脅指數非常巨大。
我想大概是因為 MS 的程式是封閉源碼的,所以只能用 Black-box 來進行 Fuzzing 的動作,這點防毒軟體實驗室實在不比坊間駭客來得有優勢(其實就是黑帽與白帽的相互較勁),加上那些大廠規定假如發現重大威脅都不能隨便公報(不能公報沒成就感阿...),因為正式的 Advisor 都有跟他們簽署 NDA(Non-Disclosure Agreement) 保密協議,我想多數人如果有找到弱點通常都先丟黑市賣錢吧!現在有看到 Exploit 幾乎都是被玩好幾手,玩到 Vendor 有心力 Handle 之後才會丟出來,如此以求能縮短蔓延時期的時間長度。
迷:如果真的都有簽署 NDA 的話,我覺得應該會先自由心證(內心的自我抗戰!),然後才決定是否告知 Vendor 一聲,所以把 NDA 的定義套用在這裡也似乎覺得荒謬:
A non-disclosure agreement (NDA), also known as a confidentiality agreement, confidential disclosure agreement (CDA), proprietary information agreement (PIA), or secrecy agreement, is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to by third parties. It is a contract through which the parties agree not to disclose information covered by the agreement.
Vendor: You must promise DO NOT leak any information but keep it confidential.
And then, Advisor told the third party similar word again.
And and then, the third party applied the same policy on the fourth party.
And*N then, ……
Thus, the proverb goes, “Bad news has wings”.

「瓜田李下」大家都聽過吧?

Standard

引用:中國網攻Google 證據被掌握

自從Google發佈遭駭客攻擊以來,多家電腦安全公司均表示支持Google認為此舉出自中國政府的說法,不過大都無法提出有效證據,但現在情況已經有改觀;《紐約時報》週三報導,一名美國的電腦安全研究人員,說他已經發現他相信是強有力的證據,證實被用在攻擊Google的軟體程式上,有中國程式設計師的數位指紋

因為我對這則新聞很好奇,所以尋線找到那所謂美國安全研究人員的實驗室網誌,在該篇分析報告發現以下訊息:

There are many different CRC algorithms and implementations of those algorithms, but this is one I had not previously seen in any of my reverse-engineering efforts.

「只此一家,絕無分號」的 CRC 演算法實做。

The full paper was published in simplified Chinese characters, and all existing references and publications of the sample source code seem to be exclusively on Chinese websites.

整篇 Paper 用簡體中文寫作且只在中文網站找得到。

This information strongly indicates the Aurora codebase originated with someone who is comfortable reading simplified Chinese. Although source code itself is not restrained by any particular human language or nationality, most programmers reuse code documented in their native language.

讀中文最輕鬆的首先就懷疑是華語人士吧?

多數人寫程式都會用他們的母語當註解吧?

所以最後的結論是:

(in light of the harsh penalties we have seen handed out in communist China for other computer intrusion offenses), this creates speculation around whether the attacks could be state-sponsored.

在稍早的幾個計算機犯罪事件中,中共當局都是嚴加處置,所以有可能是因為國家資助才造成這次的局面!

題外話:對岸隱藏的策略越來越先進,我還記得之前在分析的樣本發現過下面這種程式片段:

Malware_ZongCan

Google_ZongCan

看來在**單位作程式研發連資料夾的名稱都不能亂取,萬一編譯之後存在 Binary 中,事情就大條了。

MS COFEE 工具疑似洩漏

Standard

Last November, the code for Microsoft's Microsoft's COFEE (Computer Online Forensic Evidence Extractor) forensics tool was leaked to the Internet. COFEE is distributed free to law enforcement agencies all over the world and used to gather digital evidence from computers that are seized in connection with criminal activity. Microsoft does not make it available to those outside the law enforcement community.
http://www.crunchgear.com/2009/11/06/siren-gif-mic...ernet/

Then in December, several sites reported on the release of software called DECAF that could detect the presence of  imageCOFEE  and delete its files and processes as well as clearing its log files. You can read more about DECAF here:
http://www.theregister.co.uk/2009/12/14/microsoft_...decaf/   

On December 18, that first version was pulled by its makers and it was labeled as fake. Now a new version, DECAF 2, is out there. The new version doesn't limit itself to COFEE, but also detects other forensics software including EnCase, Helix, Forensic Toolkit and more. DECAF developers say the first version did work and was removed because of legal concerns, and that they were trying to raise awareness for 「better security and more privacy tools.」
http://www.thetechherald.com/article.php/200953/50...unched

下載資訊:http://www.xun6.com/file/631805d12/COFEE-Microsoft+tools.rar.html