Noticed over at Securabit some information on how Microsoft virtualization of Windows XP may re-introduce some previously-thought mitigated vulnerabilities. This includes XP Mode in Windows 7. Historically, some vulnerabilities in XP have been reduced in importance due to other protections such as DEP, SafeSEH, and ASLR. But during some virtualization scenarios, memory outside the normal protected boundaries could still be attacked. In essence, this means in certain situations, an attacker could leverage vulnerabilities and bypass those protections. I’m grossly simplifying this description, so follow the link trail from Securabit to get the details.

Is this a Big Deal? I don’t think so, but it certainly is worth the press/time and is very interesting in concept.

The bottomline for Windows 7 XP Mode is it shouldn’t be relied upon or used terribly extensively. If you need it so an app will work, use it only for that app. Also, this does not mean you can break into the host by popping the guest XP system; this is still just an XP guest issue.

It’s a long story how I got there, but I found this gem of a post over at the pcianswers.com blog. The post by cmark relates his training and experiences as a sniper to that of the motivation and skills of a malicious hacker. I admit, in another life I’d love to give the life of a sniper a try. Not because of the stereotypical “lone gun” persona, but rather because of the patience, intelligence, and autonomy required, which does fit my personality. Some brief quotes:

By evaluating the terrain on a map, we could determine the ‘natural lines of drift’ with some accuracy. Many people may not know this but Humans drift toward the path of least resistance. Humans traveling would naturally drift toward these lines. By understanding these drift lines, you can determine where a patrol will move, get ahead of them and intercept their movement.

Sounds familiar in business as well. In fact, I see this daily from normal users to technical workers to offsite workers to highly skilled software developers. They will drift towards least resistance.

As a sniper, I only need one small mistake. I would wait and watch until a unit made a mistake or exposed a vulnerability. To protect against me, a unit had to be nearly perfect. They had to cover all vulnerabilities and make no mistakes. (does this sound familiar?)

Point well made, from personal experience!

So what is the best defense against snipers or hackers? Quit simply, other snipers or hackers. US sniper doctrine states that the best defense against a sniper is another sniper. They possess the same skills, and mentality and can counter the snipers’ actions and operations.

And there’s the discussion-starter!

Over a year ago, a paper flew out across Full-Disclosure from Erez Metula talking about .NET rootkits. I promptly lost my notes on it, but after finding and reading up on it, I have to say this is pretty exciting stuff (check the whitepaper, skim the pdf if you want, but it is less detailed). Two take-aways I got from a quick skimming:

1. You can replace .NET .dll files that Microsoft trusts just by deploying to the proper “folder” (bypassing the GAC process). Sure, this requires admin rights, but what then? This isn’t a penetration or priv escalation technique so much as it is a persistance technique.

2. You can do lots of cool shit inside a .dll file, whether you’re subverting the framework or some app that uses ASP.NET on top of the framework.

This brings up a few ideas on how to protect systems that run such code.

a. File integrity monitoring on framework files or files inside the general assembly.

b. Egress monitoring on network perimeters (not necessarily external!) to detect if something is being shipped out (such as with SendToURL or ReverseShell). To an extreme, this could be also done on the server itself so it is only talking to systems it should be talking to, not just network-prohibiting.

c. Do you know what code your developers are writing and executing on your servers? Code reviews and lifecycle integrity… I don’t know enough to speak about what privilege level .NET code is executed under, but I would be willing to bet an interested developer can do whatever he wants on a server that executes his code. This holds true for anyone that has access to the server to install something or run code or get administrative rights.

d. Um, don’t run as an administrator. This applies more to users, as they may visit a web page and allow code to run, which then rootkits their framework. Then again, this isn’t the only reason to stop running as admin while browsing the web.

e. If you can spare the energy, tracking regularly accumulating files/folders may help as well. If an attacker is gathering credentials on the server, they either need to ship them out or store-and-retrieve them. This point helps detect the “store” part.

Threatpost has an article up about Bob Maley, the Pennsylvania CISO dismissed this past week because he discussed an incident during an RSA panel. I saw this come in through the Twitter stream and my immediate thought was how this is exactly why we have such issues sharing useful information. We make an attempt to share information, and someone boots us hard in the ass. While the booting may be justified by the state’s policy, I would question that someone is not understanding the reasonable intent of the policy.

What’s funny is more people likely know about what happened in Pennsylvania due to this than if they had just slapped him on the wrist or done nothing. Well played, sirs. Maybe that in itself violates the policy…

I’ve recently finished reading Freedom, the sequel to Daemon by Daniel Suarez. I made a longer post which I have yet to clean up and release, but wanted to throw out this idea. (I highly recommend the books!)

I just read a post on isc.sans.org about an SEO poisoning attack. This reminds me of all the efforts to legitimize malicious accounts, sites, and activities. For instance, want to avoid the malware-radars on Twitter? Make a ton of accounts, follow each other, and get a few dozen or hundred randomly posted tweets. You’ll blend right in!

(Tiny, TINY spoiler here for Daemon, but not for Freedom. I’m really not giving anything away that will spoil the plot.)

In Daemon/Freedom, the daemon creates this new system which is based in part on reputation. As users in the daemon’s system, you can vote up or vote down other users based on your interactions with them.

This still suffers from problems of gaming the system, just like we see malware attempting to do today. You get enough “people” going, and you can inflate your scores. Likewise, this breaks down when you don’t have people voting based only on rational reasons and instead vote on popularity or for irrational reasons. Ashton Kutcher was the first person to 1 million followers on Twitter. Would it be appropriate for him to be the most powerful user in any legitimate system that has real world ramifications? Probably not.