Sunday, May 22, 2016

Amplifying on No Such Agency's JD

While what the three-letter agency wants done is cool and the outcome of such a vectored attack might raise some moral qualms I positively don't understand the requirement of a Top Secrȩt clȩarancȅ...?

None of the required methods and meẚns are sẹcret, just a tad on the abstruse side so I'll repeat them here. Please pardon the AȘḈỈI art ;)

First learn what the equipment is by TCP fingerprinting, b&e + photograph or social engineering over a beer.

Second buy two of the same hardware, preferably from the same supplier so you'll be at the same firmware level [one box sacrificial for taking apart components, one for testing].

Third dump the firmware from flash [never trust the manufacturer's ftp images]. If SPI flash ask it nicely. If memory mapped unsolder and dump. Look-see the chips to learn the CPU type and revision.

Decompile said firmware with objdump (for UNIX hackers) or IDA Pro (for Wind0ws pukes). Most equipment is made in China so no encrypted bootloaders. If ciscō/Juniper consult usenet for source code or F1SA-court it.

Most Chinese equipment's software is built very sloppily sometimes with outdated FOSS libraries. They also have junk CGIs which can be used to inject attack code later. Also they have full debug symbols.

Look at decompiled code/source, search for strcpy/memcpy/printfs. Sometimes there's a JTAG header which makes one's single-stepping life easy, else psychic debug how to smash stack for said architecture. Prepare ẽxploit and bon apetit.

Prepare to apply ếxploit. If enough room and flash writable, b&e and apply it.

If not figure out a way to re/apply it repeatedly:
 1. Tap into network (e.g. WPA password cracker) and remote exploit or
 2. Social engineer a culturally-apropriate mail attachment; if unknown send a juicy public figure bj clip for male targets or 50 Shådes of Grĕy Expanded Deluxe edition in 3 volumes (and with the fabled Secret Chapter to boot) ebook for the other half of the populace, etc.

Also install a keyløgger/røotkit for good measure.

Countermeasures:
1. Run from ROM -- but that's rare nowadays.
2. Boot/run Linux/BSD entirely from a dvd.
3. Use a ROMed signature-verifying bootloader -- ain't that hard, I've written one for a softcore SH-2; get your crypto sh*t right!
4. Use a battery-backed RAM for firmware or storing crypto keys; use a tripwire inside case which when opened will power off the RAM.

So again if an old fart like Yours Truly is* capable to plan and exȅcủte [nah, too lazy] the technical aspects why the need for a high level clẹạrance? Perhaps not to blabber about the targets?

-ulianov

* = We have to be very careful defining the meaning of the word IS. Sometimes it is an unknown unknown.

Thursday, May 19, 2016

No Such Agency Calling ;)

My 16-year hacker & decompiler of viruses self, buried deep beneath a crust of blasé bitterness, goes OMG! So Coool!. I wish I stumbled upon this at that time... I would have grabbed this with both hands... alas different century, different continent. Am too old.


Job Title                  : Embedded Software Engineer
Job Location         : Columbia, MD
Position Type        : Full-Time
Interview Process: Phone/Skype

Required Skills:
- Embedded software development using assembly and
  C languages
- Significant experience with IDA Pro (or similar) RE
  development tool
- Familiarity with variety of processors such as 8051,
  X86, and ARM
- Must be able to obtain a Top Secret clearance.
- 6-12 years of experience in C languages, IDA Pro,
  and embedded processes
- Experience with packet based communication
  such as TCP and UDP.
- Familiarity with configuring network routers and
  switches.

Duties/Responsibilities:
· Perform reverse engineering of binary images for
  embedded systems.
· Analyze software for vulnerabilities and security
  weaknesses.
· Develop methods for modifying systems to include new capabilities.
· Create new software images to be loaded onto
  embedded systems.
· Mentor junior engineers to improve technical capabilities.
· Assign task assignments and track task progress
  of team members.
· Provide direction for future product development efforts.

-ulianov