IOActive Resources | ioactive.com

Traffic Analysis on Google Maps with GMaps-Trafficker
Author: IOActive

This paper describes a high-level approach to identifying which geographical coordinates a user sees on Google Maps when utilizing an SSL-encrypted channel. Provided you have built the coorect profile, the GMaps-Trafficker tool allows you to identify which geographical coordinates a user is looking at on Google Maps even though the user is accessing Google Maps over SSL.

Reversal and Analysis of the Zeus and SpyEye Banking Trojans
Author: IOActive

Although the core functionality of SpyEye is similar to its main rival Zeus, SpyEye incorporates many advanced tricks to try and hide its presence on the local system. This document includes a deep technical analysis of the bot's advanced hooking and injection mechanisms as well as its core functionality used to hijack and steal user information.

Zeus is an advanced piece of malware, so getting it to a reversible state was not a trivial exercise since it incorporates multiple layers of custom, portable, executable encryption. IOActive reverse engineers stripped each encryption layer and rebuilt the executable to allow for proper disassembly. Once Zeus was in an unpacked state, consultants identified additional roadblocks including non-existent import address tables, obfuscated string tables, and relocated code. Zeus included many methods to hinder reverse engineering.

The Genie in the Market
Author: Scott Dunlop

The Android Market is an open and friendly variation on the app stores spreading across the mobile phone industry. These applications appear safe on the surface, but they exact a price for developer accessibility that is paid by unsuspecting Android consumers and vendors. This article discusses the threats presented by native libraries included by Android Market applications and covers how these vulnerabilities were exploited by the Unrevoked app to jailbreak the latest generation of Android phones.

Beware of Relying on Tools Alone to Secure Web Applications
Author: IOActive

The demands of regulatory compliance may have you looking to vulnerability scanning tools in the hope of finding a magic bullet to vet your web applications. However, it would be unwise to expect sc anners alone to accurately determine the impact of the web application vulnerabilities they detect. While the latest and greatest scanning tools promise the world, the reality is they only function well when configured and utilized correctly. This paper discusses best practices for securing web applications including how to effectively use tools in conjunction with manual penetration testing.

Searching for Privacy: How to Protect Your Search Activity
Author: IOActive

This guide explains how to perform searches anonymously, protecting you from increasingly intrusive tracking and analysis by corporate and governmental organizations.

Top Threats to Cloud Computing V1.0
Author: Cloud Security Alliance

The purpose of this document is to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. In essence, this threat research document should be seen as a companion to "Security Guidance for Critial Areas in Cloud Computing." As the first deliverable in the CSA's Cloud Threat Initiative, this document will be updated regularly to reflect expert consensus on the probable threats that customers should be concerned about.

IOActive's President and founder, Joshua Pennell, is a member of the CSA's advisory committee.

Securing the Smart Grid: To Act Without Delay
Author: IOActive

This presentation, delivered at Infosecurity Europe by Joshua Pennell, discusses risks identified, research performed, and remediation efforts suggested around the Smart Grid and meters.

Best Practices for using Adobe Reader 9.0
Author: IOActive

Adobe products have long touted how they enable organizations to collaborate and share information in heterogeneous environments. But a recent stream of vulnerabilities found in Adobe products has caused a great deal of concern about the overall security threat associated with using these products. IOActive security experts offer suggestions for how to best protect your computer.

Read the article here.

Improving RoI by Using an SDL
Author: IOActive

How to improve return on investment by implementing a secure development lifecycle—the paper provides a brief introduction to SDLs then explains how implementing an SDL can save your organization money, and concludes with a discussion of how threat modeling and penetration testing complement SDLs.

Updated PCI Standards: Flexibility, Clarity and Common Sense 2.0
Author: IOActive

The Payment Card Industry Data Security Standards (PCI DSS) are a set of 12 requirements that merchants and their business partners are expected to follow to ensure the safety of cardholder data. Authored by the PCI Security Standards Council—an independent consortium of representatives from the major credit card brands—the PCI DSS covers data management, information technology, encryption, physical security, legal agreements, and business operations. When these standards were updated from version 1.1 to version 1.2, 30 changes were introduced to the existing requirements.

Security Guidance for Critical Areas of Focus in Cloud Computing
Contributing Editors: Josh Pennell and Ward Spangenberg

What follows is our initial report, outlining areas of concern and guidance for organizations adopting cloud computing. The intention is to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers. Much of this guidance is also quite relevant to the cloud provider to improve the quality and security of their service offerings. As with any initial foray, there certainly will be guidance that we can improve, and we will likely modify the number of domains and change the focus of some areas of concern. We seek your help to improve this guidance and make version 2.0 an even better asset to the security practitioner and cloud provider.

24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them
Mentioned: Richard van Eeden

Fully updated to cover the latest security issues, 24 Deadly Sins of Software Security reveals the most common design and coding errors and explains how to fix each one—or better yet, avoid them from the start. Michael Howard and David LeBlanc, who teach Microsoft employees and the world how to secure code, have partnered again with John Viega, who uncovered the original 19 deadly programming sins. They have completely revised the book to address the most recent vulnerabilities and have added five brand-new sins. This practical guide covers all platforms, languages, and types of applications.

Order the book from Amazon here.

Black Ops of PKI Black Hat USA 2009
Author: Dan Kaminsky

Research unveiled in December of 2008 showed how MD5's long-known flaws could be actively exploited to attack the real-world Certification Authority infrastructure. This August 2009 presentation demonstrates two new collision classes: the applicability of MD2 preimage attacks against the primary root certificate for VeriSign and the difficulty of validating X.509 Names contained within PKCS#10 Certificate Requests. It also calls out two possibly unrecognized vectors for implementation flaws that have been problematic in the past: the ASN.1 BER decoder required to parse PKCS#10 and the potential for SQL injection from text contained within its requests. The implications of these attacks are larger than some have realized—first, because Client Authentication is sometimes tied to X.509 and second, because Extended Validation certificates were only intended to stop phishing attacks from names similar to trusted brands. As per the work of Adam Barth and Collin Jackson, EV does not, in fact, prevent an attacker who can synthesize or acquire a "low assurance" certificate for a given name from acquiring the "green bar" EV experience.

Listen to the talk: Black Hat talk
Download the slides: PowerPoint presentation
Supporting information — with authors Len Sassaman and Meredith Patterson:

PCI Compliance in the Cloud: What are the Risks?
Author: Ward Spangenberg

Cloud computing and virtualization are creating a noticeable buzz across the IT space. As the market puts pressure on companies to increase productivity and decrease capital investments, solutions like distributed computing are attractive options for management to consider. This paper introduces some risks and gives an overview of cloud computing.

A Risk-based Approach to Determining ESPs and CCAs
Author: IOActive

To mitigate the possibility of one computer virus crippling an entire region's transportation, emergency services, and power, the North American Electric Reliability Council (NERC) Critical Infrastructure Protection Standards (CIPS) requirements 002�009 describe the cyber security standards with which bulk electric power providers must comply. As part of this compliance effort, power providers must identify their Critical Cyber Assets (CCA) and applicable corresponding Electronic Security Perimeters (ESP). This document provides a detailed methodology for determining ESPs and CCAs.

Thoughts on the Microsoft SDL
Author: IOActive

Using a Secure Development Lifecycle (SDL) is an important practice because it produces more secure software from the start and saves money in the long term. SDL is a software development lifecycle with security milestones and processes built into your overall software development methodology. The goal of an SDL is not only to produce more secure software, but to reduce the overall lifetime cost of software development projects due to the need for security bug fixes.

Exploitation in the "New" WIN32 Environment
Author: Walter Pearce

With the release of Windows XP SP2 and Windows 2003, Win32 auditing, exploitation and research became far more complex. Data Execution Protection, a host of new security measures within the compilers, and the .NET Framework's implications on development as a whole all signaled the end of "simple" core system exploits. This paper focuses on these architecture changes—which were made to prevent exploitation of win32 processes—and how to break them. It reiterates what the author learned about general Win32 exploitation and provides detailed techniques to evade stack protections in Windows XP SP2 and Windows 2003.