SlideShare uma empresa Scribd logo

BO2K Byline

Condition Zebra (CONZebra)
Condition Zebra (CONZebra)
1 de 3
Baixar para ler offline
Diary of a DEFCON Delegate Drew Williams Co-founder, Information Security SWAT Team AXENT Technologies Greetings from a flood-ridden Las Vegas, where the rain is pouring like quarters in so many slot machines. This is the third year of Black Hat and more than 650 people are in attendance. On top of that, more than 2,500 people are expected for DEFCON 7. People presented on a number of critical topics such as: Cryptography, Regulating/Suggesting Parameters for Business Security, Cyber Forensics, "Competitive Intelligence,” Putting Intrusion into IDS, Scanning: A Taxonomy of security testing, 1000 Hackers in a Box: Failings of Security Scanners, Security Issues with IIS 4 Servers, and How Responsive are Security Vendors to Security Problems. Dr. Mudge of L0pht made the Keynote address about jointly developing a new shareware tool called “AntiSniff,” working with NFR’s Marcus Ranum. In one of the security sessions, a Microsoft spokesperson responsible for "Security@Microsoft.com" gave a party-line presentation, and then proceeded to take questions about the security of the 25+ million lines of code in NT. As explained, "Microsoft views BO2K as a malicious program and not as a vulnerability that's been cracked." After enough people QA'd him from a "weeds-perspective" I posed the question, "How many security-trained, security-conscious developers does Microsoft employ for code-level engineering?" He replied, more than 200 security experts with a PhD in cryptography, and other various trained folks. Doing the math with fellow attendees, we removed the technical support, QA, those two PhDs in Cryptography, and the other scope-creep factors, and came up with a rough actual estimate closer to five to 10 engineers who actually look at code from a security perspective. This weekend's annual DEFCON hacker convention drew more than 2,000 computer hackers, security experts, and federal officials from as high-ranking as the White House, who assembled to discuss the latest trends in security exploits. One of the three-day conference break-out sessions included a panel discussion with security officials from the Army and the National Security Council, which afforded a room of more than 500 hackers to field questions and commentary. Note: Never give out your e-mail address to a group of hundreds of computer hackers—especially if you’re a White House “Security” Director! Another session highlighted the unveiling of California-based hacker group Cult of the Dead Cow's (cDc) newest version of "Back Orifice 2000 (BO2K). As a follow-up to last year's Back Orifice, this new version provides NT users with the ability to operate at a "Privileged" (Administrator) level—remotely (e.g., "RegEdit 32", remote file tree management, etc.). The boldness from such hacker organizations as cDc-and the more prominent Boston-based L0pht Heavy Industries, have fueled the cyber conflict between U.S. officials, software giants such as Sun and Microsoft and hacker groups. These groups are doing a great deal of noise-making. And most of the participants that are here--like I see every year--are punks drawn together like a frat party gone bad. But the good news is, among the noise, there's some real value within the ranks, and the software vendors (like Sun and Microsoft), government agencies--including some of our own customer base--and the security vendors and our partners are starting to pay more attention to what these groups are saying.
In the case of the BO2K program, this is an open-source architecture, which is being hawked as a value-added tool that addresses both the productivity and security levels of any organization that depends on the NT operating system. Anyone can download the actual code directly from the cDc Website, and review it and its security safeties. What's different is that the BO2K server can be easily sent as a less than 100K e-mail attachment. Once in naive users' hands, the attachment can be opened and infect their systems without the users ever knowing they've handed over the keys to their system to a stranger. I expect Microsoft to look at BO2K as a high-level security risk—and they should. Conversely, this was proclaimed by the cDc as a tool that IT administrators who are responsible for mostly remote networks can use to help (transparently) “enable” their administrative tasks. But hackerware is hackerware, and most of the virus groups will take a strong countermeasure against it, as will the security vendors. So what does BO2K have/do?  Has Open Source Architecture. This is big news and what security companies should be concerned. Everything else, for one argument or another, is probably something that has already been devised--either commercially, or through share/freeware. Open Architecture means anyone can strip out the default settings and commands and put their own into the tool  Supports Triple-DES encryption (yes, it's a restricted export encryption).  Ability to plug in your own authentication/encryption "stuff."  Enable all connections to be encrypted, including password requests, etc.  Designed to move data through secure connections.  Has a plug-in ("Butt Plug"), which is a small set of core BO2K source.  Designed for NT  Includes a PWDump-style utility for NT.  Includes extended Registry Key editing--remotely.  Has a smaller footprint (113k).  Uses less than 2MB RAM.  Looks like SMS, acts like SMS, but is risky to detect.  Has built-in TCP & UDP connections.  Includes session-based architecture, which enforces session sequencing on reliable protocols.  Has a remote desktop interface plug-in called "BO-peep," which allows the user to see the target desktop in clear stream.  Has a remote Registry Editor which allows the user to surf remote machines and create values for registry keys.  "BOSOC 32" allows packets to be reordered. cDc akin this to a "clean set of TCP functions in a UDP setting" Here are some other highlights: The cDc and distant colleagues at L0pht Heavy Industries, teamed up to create a remote file browser, which allows the user to access directory trees from remote locations for dragging and dropping files--even through encrypted tunnels. This isn't necessarily a new utility, but it's still interesting.
With BO2K's source code released under the GNU Public License, you can also expect to see numerous BO2K variations. Further complicating matters: BO2K is designed to be plug-in extensible. How can organizations detect and locate BO2K in an NT environment? My baseline concern is fourfold: 1. How can a vendor’s products detect BO2K? 2. How can we locate where the incursion is originating? 3. What would be the defense against our countermeasures? 4. What are the other security vendors likely going to address as they make boasts in the media over this? Issues like high and low entropy, weak algorithms, credential checking, and other technotalk bounced around among the conversations. Here are some suggested approaches (aside from looking at some of the antivirus folks for partial solutions): 1: Detection Use IDS solutions to monitor for encrypted traffic. Isolate the encrypted traffic and challenge its validity. 2: Location Identify the device(s) on which the encrypted traffic originated. Inquire as to the purpose for the encrypted traffic. 3: Countermeasure Stop using the encryption settings in BO2K and run it "naked" –so to speak. The last, but far from least, of your security concerns about BO2K is that this program enables a BO2K cracker on NT systems to make any directory shareable. Adding to the dilemma that this is an open architecture application, the resulting “spin-offs” will evolve, based on the time, resource, knowledge base and imagination of any hacker. To say that this can mean a security nightmare is an understatement.

Recomendados

www.ijerd.com
www.ijerd.comwww.ijerd.com
www.ijerd.com
IJERD Editor
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
Ashwin Patil, GCIH, GCIA, GCFE
 
Comprehensive Guide On Network Security
Comprehensive Guide On Network SecurityComprehensive Guide On Network Security
Comprehensive Guide On Network Security
Briskinfosec Technology and Consulting
 
The Future Is Blockchain Era
The Future Is Blockchain EraThe Future Is Blockchain Era
The Future Is Blockchain Era
Briskinfosec Technology and Consulting
 
International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)
irjes
 
IoT Malware Detection through Threshold Random Walks
IoT Malware Detection through Threshold Random WalksIoT Malware Detection through Threshold Random Walks
IoT Malware Detection through Threshold Random Walks
Biagio Botticelli
 
PPT FOR IDBSDDS SCHEMES
PPT FOR IDBSDDS SCHEMESPPT FOR IDBSDDS SCHEMES
PPT FOR IDBSDDS SCHEMES
Sahithi Naraparaju
 
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
RSIS International
 

Recomendados

www.ijerd.com
www.ijerd.comwww.ijerd.com
www.ijerd.com
IJERD Editor
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
Ashwin Patil, GCIH, GCIA, GCFE
 
Comprehensive Guide On Network Security
Comprehensive Guide On Network SecurityComprehensive Guide On Network Security
Comprehensive Guide On Network Security
Briskinfosec Technology and Consulting
 
The Future Is Blockchain Era
The Future Is Blockchain EraThe Future Is Blockchain Era
The Future Is Blockchain Era
Briskinfosec Technology and Consulting
 
International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)
irjes
 
IoT Malware Detection through Threshold Random Walks
IoT Malware Detection through Threshold Random WalksIoT Malware Detection through Threshold Random Walks
IoT Malware Detection through Threshold Random Walks
Biagio Botticelli
 
PPT FOR IDBSDDS SCHEMES
PPT FOR IDBSDDS SCHEMESPPT FOR IDBSDDS SCHEMES
PPT FOR IDBSDDS SCHEMES
Sahithi Naraparaju
 
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
RSIS International
 
Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewMarco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overview
Information Security Awareness Group
 
Ce hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsCe hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypots
Mehrdad Jingoism
 
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & TomorrowDigital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Pankaj Choudhary
 
COMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORK
COMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORKCOMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORK
COMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORK
ijesajournal
 
Ppt
PptPpt
Ppt
Nidhi Bansal
 
documentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesdocumentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemes
Sahithi Naraparaju
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward security
LeMeniz Infotech
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
Shakas Technologies
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward security
Pvrtechnologies Nellore
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
shawn_merdinger
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpick
idsecconf
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310
Editor IJARCET
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
Nexgen Technology
 
IJSRED-V2I1P29
IJSRED-V2I1P29IJSRED-V2I1P29
IJSRED-V2I1P29
IJSRED
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)
Maarten Mulders
 
Tokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceTokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and Compliance
Ulf Mattsson
 
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFDEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
Gokul Alex
 
Dentina en temporales 4
Dentina en temporales 4Dentina en temporales 4
Dentina en temporales 4
pat apa
 
JIRA ServiceDesk und seine Stolpersteine bei der Einführung
JIRA ServiceDesk und seine Stolpersteine bei der EinführungJIRA ServiceDesk und seine Stolpersteine bei der Einführung
JIRA ServiceDesk und seine Stolpersteine bei der Einführung
Oliver Sträßer
 
INTEGRAL HEALTH CENTER - SOLVING THE EQUATION OF CANCER (A1) (2)
INTEGRAL HEALTH CENTER - SOLVING THE EQUATION OF CANCER (A1) (2)INTEGRAL HEALTH CENTER - SOLVING THE EQUATION OF CANCER (A1) (2)
INTEGRAL HEALTH CENTER - SOLVING THE EQUATION OF CANCER (A1) (2)
Michael Clarjen-Arconada
 
Oracle Based Testing
Oracle Based TestingOracle Based Testing
Oracle Based Testing
Return on Intelligence
 
MENGELOLA SISWA
MENGELOLA SISWAMENGELOLA SISWA
MENGELOLA SISWA
Daud Muhamad
 

Mais conteúdo relacionado

Mais procurados

Ce hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsCe hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypots
Mehrdad Jingoism
 
COMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORK
COMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORKCOMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORK
COMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORK
ijesajournal
 
documentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesdocumentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemes
Sahithi Naraparaju
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
Shakas Technologies
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310
Editor IJARCET
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
Nexgen Technology
 
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFDEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
Gokul Alex
 

Mais procurados (17)

Marco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overviewMarco Casassa Mont: Pki overview
Marco Casassa Mont: Pki overview
 
Ce hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsCe hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypots
 
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & TomorrowDigital forensics and Cyber Crime: Yesterday, Today & Tomorrow
Digital forensics and Cyber Crime: Yesterday, Today & Tomorrow
 
COMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORK
COMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORKCOMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORK
COMPARISON AND EVALUATION OF DIGITAL SIGNATURE SCHEMES EMPLOYED IN NDN NETWORK
 
Ppt
PptPpt
Ppt
 
documentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesdocumentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemes
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward security
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
 
Cost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward securityCost effective authentic and anonymous data sharing with forward security
Cost effective authentic and anonymous data sharing with forward security
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpick
 
Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310Ijarcet vol-2-issue-7-2307-2310
Ijarcet vol-2-issue-7-2307-2310
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITYCOST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
 
IJSRED-V2I1P29
IJSRED-V2I1P29IJSRED-V2I1P29
IJSRED-V2I1P29
 
SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)SSL/TLS for Mortals (Voxxed Days Luxembourg)
SSL/TLS for Mortals (Voxxed Days Luxembourg)
 
Tokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and ComplianceTokenization on the Node - Data Protection for Security and Compliance
Tokenization on the Node - Data Protection for Security and Compliance
 
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFDEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
 

Destaque

INTEGRAL HEALTH CENTER - SOLVING THE EQUATION OF CANCER (A1) (2)
INTEGRAL HEALTH CENTER - SOLVING THE EQUATION OF CANCER (A1) (2)INTEGRAL HEALTH CENTER - SOLVING THE EQUATION OF CANCER (A1) (2)
INTEGRAL HEALTH CENTER - SOLVING THE EQUATION OF CANCER (A1) (2)
Michael Clarjen-Arconada
 
Colgajos y Suturas
Colgajos y SuturasColgajos y Suturas
Colgajos y Suturas
Monik O
 
Resume Pre-College
Resume Pre-CollegeResume Pre-College
Resume Pre-College
Hanna Jeung
 

Destaque (13)

Dentina en temporales 4
Dentina en temporales 4Dentina en temporales 4
Dentina en temporales 4
 
JIRA ServiceDesk und seine Stolpersteine bei der Einführung
JIRA ServiceDesk und seine Stolpersteine bei der EinführungJIRA ServiceDesk und seine Stolpersteine bei der Einführung
JIRA ServiceDesk und seine Stolpersteine bei der Einführung
 
INTEGRAL HEALTH CENTER - SOLVING THE EQUATION OF CANCER (A1) (2)
INTEGRAL HEALTH CENTER - SOLVING THE EQUATION OF CANCER (A1) (2)INTEGRAL HEALTH CENTER - SOLVING THE EQUATION OF CANCER (A1) (2)
INTEGRAL HEALTH CENTER - SOLVING THE EQUATION OF CANCER (A1) (2)
 
Oracle Based Testing
Oracle Based TestingOracle Based Testing
Oracle Based Testing
 
MENGELOLA SISWA
MENGELOLA SISWAMENGELOLA SISWA
MENGELOLA SISWA
 
C 14-dce-102-engg maths-1
C 14-dce-102-engg maths-1C 14-dce-102-engg maths-1
C 14-dce-102-engg maths-1
 
Evolucion historia medicina
Evolucion historia medicinaEvolucion historia medicina
Evolucion historia medicina
 
Introduction to python
Introduction to pythonIntroduction to python
Introduction to python
 
Lapbook medios de transporte
Lapbook medios de transporteLapbook medios de transporte
Lapbook medios de transporte
 
Cirugia Ortognatica Completo2009 1
Cirugia Ortognatica Completo2009 1Cirugia Ortognatica Completo2009 1
Cirugia Ortognatica Completo2009 1
 
Colgajos y Suturas
Colgajos y SuturasColgajos y Suturas
Colgajos y Suturas
 
Resume Pre-College
Resume Pre-CollegeResume Pre-College
Resume Pre-College
 
Referencial de educacao_para_o_desenvolvimento
Referencial de educacao_para_o_desenvolvimentoReferencial de educacao_para_o_desenvolvimento
Referencial de educacao_para_o_desenvolvimento
 

Semelhante a BO2K Byline

Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
LabSharegroup
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Davide Cioccia
 
Cyber security and cyber law
Cyber security and cyber lawCyber security and cyber law
Cyber security and cyber law
Divyank Jindal
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
 
Security threats analysis in bluetooth enabled mobile devices
Security threats analysis in bluetooth enabled mobile devicesSecurity threats analysis in bluetooth enabled mobile devices
Security threats analysis in bluetooth enabled mobile devices
IJNSA Journal
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64
Chema Alonso
 
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
Lior Rotkovitch
 

Semelhante a BO2K Byline (20)

Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
 
Tsunami of Technologies. Are we prepared?
Tsunami of Technologies. Are we prepared?Tsunami of Technologies. Are we prepared?
Tsunami of Technologies. Are we prepared?
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
 
Cyber security and cyber law
Cyber security and cyber lawCyber security and cyber law
Cyber security and cyber law
 
Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...
Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...
Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoT
 
beware of Thing Bot
beware of Thing Botbeware of Thing Bot
beware of Thing Bot
 
Iot Security
Iot SecurityIot Security
Iot Security
 
The Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comThe Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.com
 
Security threats analysis in bluetooth enabled mobile devices
Security threats analysis in bluetooth enabled mobile devicesSecurity threats analysis in bluetooth enabled mobile devices
Security threats analysis in bluetooth enabled mobile devices
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
5691 computer network career
5691 computer network career5691 computer network career
5691 computer network career
 
DNS Data Exfiltration Detection
DNS Data Exfiltration DetectionDNS Data Exfiltration Detection
DNS Data Exfiltration Detection
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64
 
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 

Mais de Condition Zebra (CONZebra)

Weathering the Storm of IT Security Compliance
Weathering the Storm of IT Security ComplianceWeathering the Storm of IT Security Compliance
Weathering the Storm of IT Security Compliance
Condition Zebra (CONZebra)
 

Mais de Condition Zebra (CONZebra) (6)

AXENT-Everything-IDS
AXENT-Everything-IDSAXENT-Everything-IDS
AXENT-Everything-IDS
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
 
Host-Based IDS LLifecycle
Host-Based IDS LLifecycleHost-Based IDS LLifecycle
Host-Based IDS LLifecycle
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
 
BYOD eBook Part 1 DREW
BYOD eBook Part 1 DREWBYOD eBook Part 1 DREW
BYOD eBook Part 1 DREW
 
Weathering the Storm of IT Security Compliance
Weathering the Storm of IT Security ComplianceWeathering the Storm of IT Security Compliance
Weathering the Storm of IT Security Compliance
 

BO2K Byline

  • 1. Diary of a DEFCON Delegate Drew Williams Co-founder, Information Security SWAT Team AXENT Technologies Greetings from a flood-ridden Las Vegas, where the rain is pouring like quarters in so many slot machines. This is the third year of Black Hat and more than 650 people are in attendance. On top of that, more than 2,500 people are expected for DEFCON 7. People presented on a number of critical topics such as: Cryptography, Regulating/Suggesting Parameters for Business Security, Cyber Forensics, "Competitive Intelligence,” Putting Intrusion into IDS, Scanning: A Taxonomy of security testing, 1000 Hackers in a Box: Failings of Security Scanners, Security Issues with IIS 4 Servers, and How Responsive are Security Vendors to Security Problems. Dr. Mudge of L0pht made the Keynote address about jointly developing a new shareware tool called “AntiSniff,” working with NFR’s Marcus Ranum. In one of the security sessions, a Microsoft spokesperson responsible for "Security@Microsoft.com" gave a party-line presentation, and then proceeded to take questions about the security of the 25+ million lines of code in NT. As explained, "Microsoft views BO2K as a malicious program and not as a vulnerability that's been cracked." After enough people QA'd him from a "weeds-perspective" I posed the question, "How many security-trained, security-conscious developers does Microsoft employ for code-level engineering?" He replied, more than 200 security experts with a PhD in cryptography, and other various trained folks. Doing the math with fellow attendees, we removed the technical support, QA, those two PhDs in Cryptography, and the other scope-creep factors, and came up with a rough actual estimate closer to five to 10 engineers who actually look at code from a security perspective. This weekend's annual DEFCON hacker convention drew more than 2,000 computer hackers, security experts, and federal officials from as high-ranking as the White House, who assembled to discuss the latest trends in security exploits. One of the three-day conference break-out sessions included a panel discussion with security officials from the Army and the National Security Council, which afforded a room of more than 500 hackers to field questions and commentary. Note: Never give out your e-mail address to a group of hundreds of computer hackers—especially if you’re a White House “Security” Director! Another session highlighted the unveiling of California-based hacker group Cult of the Dead Cow's (cDc) newest version of "Back Orifice 2000 (BO2K). As a follow-up to last year's Back Orifice, this new version provides NT users with the ability to operate at a "Privileged" (Administrator) level—remotely (e.g., "RegEdit 32", remote file tree management, etc.). The boldness from such hacker organizations as cDc-and the more prominent Boston-based L0pht Heavy Industries, have fueled the cyber conflict between U.S. officials, software giants such as Sun and Microsoft and hacker groups. These groups are doing a great deal of noise-making. And most of the participants that are here--like I see every year--are punks drawn together like a frat party gone bad. But the good news is, among the noise, there's some real value within the ranks, and the software vendors (like Sun and Microsoft), government agencies--including some of our own customer base--and the security vendors and our partners are starting to pay more attention to what these groups are saying.
  • 2. In the case of the BO2K program, this is an open-source architecture, which is being hawked as a value-added tool that addresses both the productivity and security levels of any organization that depends on the NT operating system. Anyone can download the actual code directly from the cDc Website, and review it and its security safeties. What's different is that the BO2K server can be easily sent as a less than 100K e-mail attachment. Once in naive users' hands, the attachment can be opened and infect their systems without the users ever knowing they've handed over the keys to their system to a stranger. I expect Microsoft to look at BO2K as a high-level security risk—and they should. Conversely, this was proclaimed by the cDc as a tool that IT administrators who are responsible for mostly remote networks can use to help (transparently) “enable” their administrative tasks. But hackerware is hackerware, and most of the virus groups will take a strong countermeasure against it, as will the security vendors. So what does BO2K have/do?  Has Open Source Architecture. This is big news and what security companies should be concerned. Everything else, for one argument or another, is probably something that has already been devised--either commercially, or through share/freeware. Open Architecture means anyone can strip out the default settings and commands and put their own into the tool  Supports Triple-DES encryption (yes, it's a restricted export encryption).  Ability to plug in your own authentication/encryption "stuff."  Enable all connections to be encrypted, including password requests, etc.  Designed to move data through secure connections.  Has a plug-in ("Butt Plug"), which is a small set of core BO2K source.  Designed for NT  Includes a PWDump-style utility for NT.  Includes extended Registry Key editing--remotely.  Has a smaller footprint (113k).  Uses less than 2MB RAM.  Looks like SMS, acts like SMS, but is risky to detect.  Has built-in TCP & UDP connections.  Includes session-based architecture, which enforces session sequencing on reliable protocols.  Has a remote desktop interface plug-in called "BO-peep," which allows the user to see the target desktop in clear stream.  Has a remote Registry Editor which allows the user to surf remote machines and create values for registry keys.  "BOSOC 32" allows packets to be reordered. cDc akin this to a "clean set of TCP functions in a UDP setting" Here are some other highlights: The cDc and distant colleagues at L0pht Heavy Industries, teamed up to create a remote file browser, which allows the user to access directory trees from remote locations for dragging and dropping files--even through encrypted tunnels. This isn't necessarily a new utility, but it's still interesting.
  • 3. With BO2K's source code released under the GNU Public License, you can also expect to see numerous BO2K variations. Further complicating matters: BO2K is designed to be plug-in extensible. How can organizations detect and locate BO2K in an NT environment? My baseline concern is fourfold: 1. How can a vendor’s products detect BO2K? 2. How can we locate where the incursion is originating? 3. What would be the defense against our countermeasures? 4. What are the other security vendors likely going to address as they make boasts in the media over this? Issues like high and low entropy, weak algorithms, credential checking, and other technotalk bounced around among the conversations. Here are some suggested approaches (aside from looking at some of the antivirus folks for partial solutions): 1: Detection Use IDS solutions to monitor for encrypted traffic. Isolate the encrypted traffic and challenge its validity. 2: Location Identify the device(s) on which the encrypted traffic originated. Inquire as to the purpose for the encrypted traffic. 3: Countermeasure Stop using the encryption settings in BO2K and run it "naked" –so to speak. The last, but far from least, of your security concerns about BO2K is that this program enables a BO2K cracker on NT systems to make any directory shareable. Adding to the dilemma that this is an open architecture application, the resulting “spin-offs” will evolve, based on the time, resource, knowledge base and imagination of any hacker. To say that this can mean a security nightmare is an understatement.