15 Nov

Why morons shouldn’t be writing about security, part 2

I read Kotaku’s article called “FBI Says Alleged Hackers Used FIFA To Steal Millions From EA” this morning. And it reminded me of the crap articles Catalin Cimpanu writes at Softpedia.

What’s wrong with Kotaku’s article?

Well, pretty much everything.

First, this group did not steal from Electronic Arts. If fact, not a single penny of real currency was taken from EA.

According to an unsealed FBI indictment, Clark and his co-defendants allegedly built a tool that would send false signals to EA’s servers to spoof matches, generating these FIFA coins at a rapid rate. The FBI alleges that Clark and crew then sold the coins to third-party sellers, earning millions.

Exactly! Guys received FIFA coins from EA (it’s an in-game currency) which they later sold on underground sites. Money came from persons entirely unrelated to Electronic Arts and it was given voluntarily. And that, by definition, is not a theft.

The article continues with a plenty of other funny statements like

.. worked with the defendants to get Xbox development kits and reverse-engineer a pirated copy of FIFA 14 using a program called Interactive Disassembler. This process took several months, Alcala said, but it allowed them to create a tool for mining FIFA coins.

I just love the IDA reference in here. bigsmile These guys used disassembler, they must be real evil hackers! All in all, this article is a fun read but it got all the basic facts wrong.

Mr. Jason Schreier, please stop writing about things you have no clue about. Stick to your video game reviews or something.

What is really happening?

Thankfully, UK journalists have much better idea of what’s happening in US courts, and they wrote a much better article. According to the indictment, the charges are “conspiracy to commit wire fraud“, a stupid catch-all term used in US courts for pretty much everything done over the Internet.

That document is equally funny read and shows how desperate the prosecutors must be to make any charges stick. Let’s see:

  • the defendant assisted in creating a program (…) which sent electronic messages to EA’s servers fraudulently representing that thousands of FUT matches had been completed in the EA’s FIFA video game. EA’s servers materially relied on the completed match messages and credited various accounts maintained by the defendant and his co-conspirators with FIFA coins. – this is the only part of the indictment that actually makes sense. Kinda. There’s one teeny tiny detail – RANE Developments got virtual goods from EA. And the legal status of virtual goods is very unclear in the United States. If virtual goods are not “money or property” in the eyes of law, then there was no fraud.
  • the defendant and co-conspirators continued to create and execute new methods to circumvent the security measures by EA in EA’s effort to prevent fraudulent activity associated with the company’s FIFA video game. – that might be a breach of EULA but not a crime;
  • executed their “application” through a video game console, which they modified to circumvent security and copyright protections, and on game development kits, which they obtained from unlicensed sources. – we’re getting desperate, let’s charge them with modding their consoles!
  • executed their “application” through cloud computer servers, which allowed them to run more copies of the software and obtain significantly more FIFA coins. – if nothing else helps, let’s charge them with renting cloud computer servers! Oh, wait, what? smile

Naturally, the defendant has pled not guilty to the charge. And if his lawyer is any good, I’m guessing he’ll walk out of the court as a free man.

20 Jun

Six-factor authentication (it’s not)

Today I read an article in The Register called Tor torpedoed! Tesco Bank app won’t run with privacy tool installed.

It’s a fun read about Tesco’s Android banking app and how it refuses to run when Tor application is installed on your mobile. But what really caught my attention, is this comment to the article:

I did a count of my account with a certain bank and when I use a PC which does not store their funky cookies, I get 6 (yes really, 6) steps for authentication.

  • Initial Customer code
  • Security password as there is no cookie so PC is not recognised
  • pre-agreed image
  • pre-agreed phrase
  • Customer Number
  • Security code

and if I use a Windows PC it whinges that I don’t have cRapport which would ‘improve my security’
So 6-Factor security isn’t good enough and you want an extra package to help???????

Sir, if you ever read what a multi-factor authentication is, you wouldn’t be stating such nonsense. All six of the steps you mentioned are of the same factor – “something you know”. As such, they provide no additional security, as one keylogger/screengrabber will capture them all.

Why your bank insists on you jumping over so many redundant hoops, remains a mystery..

21 Apr

JS-boobytrapped ZIP files, or why morons shouldn’t be writing about security

This morning I noticed Softpedia article titled “How to Prevent ZIP Files from Executing Malicious JavaScript Behind Your Back“.

Here’s the beginning of the story in all it’s glory:

Let me repeat that:

When unzipping the file, the JavaScript file would execute, automating various operations.

Naturally, I was curious about the cause of this issue and why I haven’t heard about it before.

Little bit of reading, little bit of Googling and here’s the original post from F-Secure: “How-To Disable Windows Script Host“. They write:

And such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Script Host.

Somehow Softpedia authors managed to convert “user clicking on a JS file” into “JS file being launched automatically when unzipped”.

Dear Mr. Catalin Cimpanu, please stop writing about security. Open a hotdog stand or something, that’s much more suitable for your skill level.

11 Mar

Miserable state of open source code

Yesterday I wanted to make a small API hook detector in C#. It has to parse PE file, find exported functions, read bytes from the beginning of function and then compare them with the bytes in process memory. Sounds simple, right?

Well, good luck finding a PE parser that actually works!

Looking for PE parser

Most of PE parsers stop at parsing DOS header, NT headers and section headers. But I needed something that would also parse export table for me. After a couple of Google searches I ended up with PEReader by DKorablin. From the first look it’s decent and even has a demo application. What else could you want?

Hmmm, how about working correctly on really simple files? wink

Sorry, nope.

Results from PEReader and CFF
It sure finds exported functions but it mismatches function names & RVAs. So, if you wanted to examine, say, CreateFileW, you will end up examining DeleteFileA. Or some other random API. Great job!

But it’s opensource. Just fix it and submit a patch!

Umm, no. I was looking for a PE parser that I can take, load it in VS and use it. I don’t want to spend days hunting down bugs and fixing them – this stops me from doing what I really want to do.

So, dear opensourcer, if you are publishing your code, make sure it actually works. If it doesn’t work, please don’t publish it at all – it’s not helping anyone. Don’t waste other people’s time..

P.S. I ended up with using DNLib and writing my own PE export parsing. At least, I know it works properly..

16 Feb

Why you should not worry about HARES

Last week Wired published an article about HARES – Hardened Anti-Reverse Engineering System. The article is really great example of what happens when some idiot starts to write about things he has no clue about.

I wanted to write a full-length post about that, but Errata Security beat me to it. So, please enjoy this great writeup instead. smile Thank you, guys!

So, can HARES be used in malware?

Wired article states that:

[HARES] could also mean the start of a new era of well-armored criminal or espionage malware that resists any attempt to determine its purpose, figure out who wrote it, or develop protections against it.

First, HARES requires a hypervisor. If the attacker had ability install hypervisor on your system, you were screwed anyway. This also means that 99.999% of today’s malware won’t be able to take advantage of HARES.

Second, modern antimalware solutions do not need to analyze code. They can analyze behavior of the process, monitor network connections, registry changes, file system changes – and that’s enough for a successful detection. HARES doesn’t interfere with that.

You can go to sleep peacefully tonight, the world is still spinning and no magical malware is going to appear overnight.

Further reading

PDF: MoRE Shadow Walker: TLB-splitting on Modern x86
Youtube video: Virtualization: MoRE Shadow Walker The Progression of TLB Splitting on x86
PAGEEXEC and TLB Splitting

12 Feb

Freeware scam artists. And some real morons.

If you spend any time playing with malware, or just downloading software, you’ve probably seen those kinds of scams.

Take some free software, wrap it in Nullsoft Installer, add a few toolbar and “system optimizer” softwares to the bundle, make the installation dialog as confusing as possible and get commissions for each install.

It usually looks something like this:

The reason why it works – people are stupid. They just click “Next”, “Next”, “Next”, “Finish” and think it’s gonna be alright. Sorry grandma – you just made somebody a few bucks richer!

These types of installers are usually detected as Adware or PUAs (Potentially Unwanted Programs) by most antivirus companies. The criteria for detection are really simple – if your installation dialog is designed to confuse Average Farmer Joe, you should be detected. You may not hide “Decline” button, you may not try to blend it into background, it must be clearly visible and accessible.

And now look at Elementary OS

Having said that, just look at the new and improved download page for ElementaryOS – freeware, open-source operating system:
Can you see the free download button? Neither can I. Because it’s not there!

You have to explicitly click on “$ Custom”, enter “0” there, and then click “Download”.

Huh? Come again, please?

Apparently, someone at Elementary OS thinks it’s a great feature:

We’ve opted to present users with some easy one-button choices. Right now we have ambitious $10, $25, and $50 buttons along with a “Custom” button that lets you type anything—including $0.

We didn’t exclude a $0 button to deceive you; we believe our software really is worth something.

You, sir, are a fucking moron.