Category Archives: General

17 Aug 2016

Gone for summer vacation

Last few months were quite busy for me.

On the good side: I solved 2 tracks of Labyrenth CTF - Windows and Documents. Unfortunately they still haven't published the Honor Roll, so I have no clue if I placed 1st, 2nd or 44th..

On the bad side: there are lots of changes happening in my office. I don't mind changes per se but the uncertainty of the future of the company.. Well, that's not great.

So, I'm leaving for summer vacation. I'll spend almost 4 weeks on islands with very spotty mobile coverage and almost certainly without Internet access. Will be back in mid-September, relaxed and ready to do some serious reversing again.

Have fun and talk to you all later!

20 Jun 2016

Six-factor authentication (it’s not)

Today I read an article in The Register called Tor torpedoed! Tesco Bank app won't run with privacy tool installed.

It's a fun read about Tesco's Android banking app and how it refuses to run when Tor application is installed on your mobile. But what really caught my attention, is this comment to the article:

I did a count of my account with a certain bank and when I use a PC which does not store their funky cookies, I get 6 (yes really, 6) steps for authentication.

  • Initial Customer code
  • Security password as there is no cookie so PC is not recognised
  • pre-agreed image
  • pre-agreed phrase
  • Customer Number
  • Security code

and if I use a Windows PC it whinges that I don't have cRapport which would 'improve my security'
So 6-Factor security isn't good enough and you want an extra package to help???????

Sir, if you ever read what a multi-factor authentication is, you wouldn't be stating such nonsense. All six of the steps you mentioned are of the same factor - "something you know". As such, they provide no additional security, as one keylogger/screengrabber will capture them all.

Why your bank insists on you jumping over so many redundant hoops, remains a mystery..

03 Jun 2016

Quickpost: addicted to meaningless jargon

This is a great article about one journalist's experiences in the RISE conference.

“We visually organize your email and cloud-based content for ultra fast access,” says Kalpesh, reading from his promotional materials. “It’s visual storytelling with any type of content.”

Say what? What does this thingy do? I have no clue.

Apparently I'm not alone. Luckily, article author translated it to plain English:

Translation: Cubes is actually an app that pinpoints anything that’s not plain-Jane text in your email or Dropbox accounts (a photograph, an excel file, a YouTube video), takes snapshots of those things, and then bundles them together in a standalone app.

OK, now I get it. Thanks! smile

However, the sad thing is, it's not just startups. If you're working in a large company, you've probably seen these kinds of emails sent by your pointy-haired bosses. They are stuck in their bubbles talking about "disruption", "alignment" and "engagement". How about this:

To ensure synergies and alignment between the finance strategy and business needs, Mr.X will co-operate closely with all finance functional leads, including aligning closely with Mr.Y and his team to ensure the consistent dissemination of financial information.

No, I really don't know why our company is going to pay $100k a year to this guy. Do you?

31 May 2016

BTVStack.exe requesting access to Skype on every startup

Background

At home I'm using a desktop computer. It has ASUS motherboard with Atheros Bluetooth chip. I have all the drivers installed but I'm not using Bluetooth at all.

Problem

Some time ago I started getting these notifications every single time I started Windows:
btvstack_skype

btvstack.exe is requesting access to Skype. Only allow access to programs downloaded from a trusted source as they will be able to use information such as your Skype contacts and messages.

No matter what option I selected, it would ask me again on next reboot. Bloody hell!

If you google for the solution, you'll notice that:

  1. It's a quite common problem;
  2. Most common solution is to deny/allow access either using the dialog above, or Tools->Options->Advanced->Advanced Settings->Manage other programs’ access to Skype;
  3. Another solution for Windows 8+ is to deselect "Allow Bluetooth devices to send you PIM items such as business cards, calendar items, e-mail messages, and notes. " in Bluetooth Control Panel applet;

Unfortunately, first solution was not working for me. And second solution is not feasible because there is no such option in Windows 7 Control Panel.

Solution

Since I don't need Bluetooth but I don't like to have broken drivers, I decided to disable just the offending DLL. From the elevated command-prompt I ran

and the problem has disappeared. Great success! smile

Hope this helps someone else too.

20 May 2016

Beautiful code

After making quite a few unpackers and other RE-related tools, publishing sources for them and having to maintain and bugfix them, all I can say is: "Read this. Remember this. Worship this."

All code is born ugly.

It starts disorganized and inconsistent, with overlaps and redundancies and gaps.

We begin working it into an imperfect solution for an often poorly defined problem.

As we start building up like clay, a solution starts taking form. The feedback guides us in moving, removing and adding material. It allows us to add and remove details. We learn from our mistakes.

Thank you, Dennis, you made my day so much better.

16 May 2016

Quickpost: application reversing becoming legal in USA?

Last Friday authors of Dotfuscator made quite an interesting blogpost, claiming that reverse engineering applications in USA is becoming a legal means for acquiring intellectual property, thanks to the Defend Trade Secrets Act of 2016.

I am not a lawyer, and such statements coming from authors of obfuscator should be taken with a grain of salt - but it's an interesting read nevertheless. What's your take on that?

29 Apr 2016

I bought a software today…

I never buy software. Not sure why is that, probably I just don't see a point in doing that. To me, most of the software seems ridiculously overpriced.

  • Paying 30 euros for a copy of WinRar? Are you kidding me?
  • Paying 70 euros for latest Need for Speed racing simulator I'm not even sure I'll like? I'm not a hardcore gamer, I'm just looking for a good fun for a rainy evening.

And subscription-based software is even worse:

Do I look like a f*ing Rockefeller to you?

Hello Adguard!

Imagine my surprise when yesterday I noticed that my beloved Adguard actually has very reasonable prices. And they are offering 40% discount for all licences until May 4th, 2016. Lifetime license for less than a cup of Chai Latte in Starbucks? I'll take that, thank you very much!

license purchased

Well, it's actually half-true. If you just open their main page in the browser and go to "Purchase", you'll probably see that a lifetime license costs $14.97. Not exactly a cup of Chai Latte.

Hacking Adguard pricing

To get those extra nice prices, you'll need to perform a little trick. Open the mobile version of the same page in your browser: m.adguard.com. Now go to purchase. And now switch to prices in Russian roubles. 179RUB for a lifetime license! bigsmile

According to Paypal, I just got my lifetime license for:

Payment: 179.40 RUB
Payment sent to: pr@adguard.com
From amount: $2.94 USD

Cheers!

Summary

If you're interested in a decent adblocker for Android device, I recommend that you give Adguard a chance. No root required! They also have adblockers for Windows and Mac but I haven't tested those.

Full disclosure: the link above is my affiliate link with Adguard. If 4 people will follow this link, install and use Adguard for 30 minutes, I will get a free 1-year license. In that case, I will donate this license to LCF-AT to help with ad-filtering issues.

If you hate affiliate links of any kind, please feel free to visit using a direct link: adguard.com - it's well worth it.

Have fun blocking the ads! smile

21 Apr 2016

JS-boobytrapped ZIP files, or why morons shouldn’t be writing about security

This morning I noticed Softpedia article titled "How to Prevent ZIP Files from Executing Malicious JavaScript Behind Your Back".

Here's the beginning of the story in all it's glory:
softpedia

Let me repeat that:

When unzipping the file, the JavaScript file would execute, automating various operations.

Naturally, I was curious about the cause of this issue and why I haven't heard about it before.

Little bit of reading, little bit of Googling and here's the original post from F-Secure: "How-To Disable Windows Script Host". They write:

And such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Script Host.

Somehow Softpedia authors managed to convert "user clicking on a JS file" into "JS file being launched automatically when unzipped".

Dear Mr. Catalin Cimpanu, please stop writing about security. Open a hotdog stand or something, that's much more suitable for your skill level.

19 Apr 2016

One month with Avast

I've written about my troubles with Bitdefender AV solution before.. XXXX So, when my Bitdefender license expired, I was happy to switch to a different solution. I picked AVAST. In this post I'll try to summarize my my impressions after using it for one month.

Setup

Bitdefender 2016 insisted on me creating user account for their cloud management crapshoot before I was actually able to get installer and install the software.

On the contrary, Avast's setup was a snap. One, two, pick components, done.
01-setup
One minor issue I noticed - I'm quite sure Avast setup did not respect my choices and installed more components than I selected in the setup dialog. Or maybe I mis-clicked one checkbox. I'll give them a benefit of doubt.

Avast - 1 : Bitdefender - 0.

User Interface

After all-dark-and-depressing Bitdefender UI, Avast feels much more brighter, colourful and cheerful. It feels much snappier and faster as well. Everything seems to be intuitive and easy to find.

Avast - 1 : Bitdefender - 0.

Configuration

Avast has all its settings in one place. Bitdefender requires you to open each component separately to access its settings. Avast would be a clear winner here, but..

But good luck trying to find which apps are allowed or blocked by Avast firewall!

Firewall configuration is under "Settings", just like you would expect. From there you can configure "System rules" and "Packet rules". However, you won't find allowed/blocked applications there. Instead, you need to go to Tools->Firewall and locate teeny tiny "Application rules" hidden between "Firewall logs" and "Settings". WTF?
02-firewall-apps

Taking that into account: Avast - 1/2 : Bitdefender - 1/2

Updates

Both antiviruses handle normal updates very well. No ads, no popups, no annoyances of any kind. Avast seems to have sort of ad hoc streaming updates 24/7 - or at least, that's what the Statistics tabs shows:
03-stats

However... Today my Avast received a different kind of update that required restart. From what I can tell, this update replaced most of EXE/DLL files in the %PROGRAMFILES%\AVAST Software\Avast\ folder. After restart, my PC got stuck in semi-working state, services.exe and svchost.exe eating most of the CPU resources and Avast showing "try our new-and-cool-whatever-thing-I-don't-give-a-crap-about" advertisement. In addition to that, Avast claimed that it's firewall module cannot be started.

Few "repair installation" and Windows restarts later the problem disappeared. As a side effect - all my carefully set privacy settings were reset to defaults, "show offers for other Avast products" was enabled again and all File System Shield exceptions are gone.

Even though I really enjoy invisible 24/7 updates of Avast, I have to reduce Avast's score due to this major f*ckup.

Avast - 0 : Bitdefender - 1

Bugs and issues

As I described earlier, Bitdefender was far from being perfect. On the contrary, my first impressions of Avast were extremely positive. Great setup, aesthetically pleasing UI, plenty of user-configurable settings. Everything I could ask for!

However, first few weeks of using Avast has been nothing but a source of frustration.

Issue #1 - I've configured File System Shield to scan files only on execute. All scans on write or access are disabled for executable files using Avast's UI.
04-avast-no-write-scan
05-avast-no-access-scan
However, any time I copy-paste suspicious executable files from one PC to another using Remote Desktop Client, Avast File System shield pops up and blocks the copy operation. WTF?!

06-detect-on-copy-paste

Issue #2 - There is no "Beggar off, I know what I'm doing" option in the detection dialog, even for heuristic detections. The previous issue wouldn't be a big one, if I had a possibility to dismiss detections dialog and continue copying files. But I can't.
07-no-ignore
So, the only option for me is to disable File System Shield completely. That kinda defeats the purpose of having the antivirus, doesn't it?

Issue #3 - Myriad of "Win32:Malware-gen" and "Win32:Evo-gen [susp]" detections.
In effort to reduce number of false positives, I've set the heuristics and HIPS sensitivity to "Low". But even then Avast keeps producing plenty of detections on clean files like Goliath obfuscator, ScyllaHide and other reversing tools.

Issue #4 - Leaving statistics tab open for a long time will cause the CPU usage to go high. No idea what causes it, probably the braindead decision to use embedded Chromium and Flash to show the pretty graphs and stuff.

Taking all that into account: Avast - 1/2 : Bitdefender - 1/2

Summary

Avast is a great product - for your grandma's or neighbour's PC. But if you ever work with malware, cracked files or anything remotely suspicious, Avast's super-sensitive File System Shield will drive you mad.

I'll give it one more shot and try to tweak configuration files manually. But if I can't make it play nice, I'll be looking for a different solution for my PC.