Archive for August, 2008

Obfuscation

Posted August 27, 2008 at 12:46 pm in Programming | No Comments

This is not a tribute to the Starsiege: Tribes map. Code obfuscation is source code or intermediate code that is often intentionally scrambled to make it more difficult to read. The reason for this is to deter reverse engineering, disassembly, and decompilation, which may directly affect loss of intellectual property, ease of probing for application vulnerabilities and loss of revenue.

C, C++, and Perl are the easiest obfuscatable languages. There are many varieties of interesting obfuscations ranging from simple keyword substitution, use/non-use of whitespace to create artistic effects, clever self-generating or heavily compressed programs, or programs that are valid and operate similarly in multiple programming languages.

From a security standpoint code obfuscation creates a dilemma, especially for preventing XSS attacks. Dynamic code obfuscation techniques, which basically scramble malicious code in a different way each time a new visitor enters the malicious website, were developed in response to security vendors’ efforts to detect encrypted malicious code.

By obfuscating the malicious code, attackers are able to bypass signature-based solutions such as URI filtering, IDS/IPS, and anti-virus. This prevents a problem for code inspection which attempts to validate user inputs. Many phishing campaigns employ code obfuscation by obfuscating the malicious URI the user must access to avoid suspicion.

Dynamic obfuscation techniques allow visitors of a malicious site to receive a different instance of the obfuscated malicious code, based on random functions and parameter name changes. For each piece of obfuscated code, there would need to exist a signature using signature-based solutions to prevent dynamic obfuscation techniques. This would require an immense amount of time and research and as soon as a signature is ready to be implemented, the malicious code would have already mutated numerous times.

A suggested defensive measure is to use real-time code inspection, which analyzes and understands the code embedded within web content on-the-fly before it reaches the end users. Real-time code inspection would be able to break the code up into small segments, regardless of the code source, for inspection and action prior to execution of the code on network resources.

If you would like to experience an example of code obfuscation with Perl, try this code: 

@P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU / lreP rehtona tsuJ";sub p{
@p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*=2)+=$f=!fork;map{$P=$P[$f^ord
($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/&&
close$_}%p;wait until$?;map{/^r/&&<$_>}%p;$_=$d[$q];sleep rand(2)if/\S/;print

Compile and run from your shell for an interesting message.

Demilitarized Zone (DMZ)

Posted August 27, 2008 at 7:31 am in Networking | No Comments

The demilitarized zone (DMZ), also known as the perimeter network, is a physical or logical subnetwork that creates separation between an internal network and an external untrusted network (usually the Internet). The DMZ provides an additional layer of security to the internal network.

External services such as mail servers, DNS servers, FTP servers, and web servers are exposed within the DMZ. These types of servers are commonly targeted by attackers to gain access to the internal network if they reside within the internal network. By relocating them to the DMZ, the attacker will still not have breached the internal network even if they are able to compromise one of these servers.

This rationale may seem a bit confusing but many of these servers and services are not critical to business continuity. All of these servers will have redundancy and readily available backups. If these servers were within the internal network, an attacker essentially has free reign to any trade secrets, financial data, employee data, databases, etc. With these servers in the DMZ the assets essential to business continuity are protected within the internal network.

Any service that is provided to users in an external network should be located within the DMZ. A mail server in the DMZ should forward incoming mail from the external network to an internal mail server and the internal mail server will pass outgoing mail to the DMZ mail server. This creates separation of duties amongst the mail servers while providing an additional layer of security to the network.

There are two common ways to implement a DMZ architecture: single firewall and dual firewall.

Continue reading..

Synchronous vs. Asynchronous Communication

Posted August 27, 2008 at 7:28 am in Networking | No Comments

Synchronous and Asynchronous communication refers to the manner in which data is transmitted over a transmission medium.

Synchronous communication devices or systems must use an external clock to synch the devices to the same time. This is commonly done via the use of GPS satellites which provide a timing reference if the systems are geographically far apart.

The reason this timing signal is needed is to provide an agreed upon start and stop condition to the data stream. The receiving device must know when the transmitting device has started to send data and when the transmitting device has stopped sending data. The timing signal is agreed upon before data is exchanged and during periods of idle activity, the devices actually exchange special characters or messages to remain in synch with one another.

Example, if the transmitting device sent the following message in frames: “The”, “Information”, “Systems”, “Security”, “Association” and the receiving device was in disagreement as to when each separate frame began and ended, it may actually interpret this to be “TheInfor”, “matiom”, “Systems”, “Securi”, “tyAsso”, “ciation”. After these frames are processed and presented in the manner they should have originally been, they will be unintelligible.

The timing signal, which is an electrical signal varying in voltage, is usually sent on a separate wire in order to avoid confusion on the data wire, however, this is not always the case. Due to this timing source, synchronous communication devices perform minimal error checking.

Asynchronous communication, which many modems use, has no additional timing source. The transmitting device inserts start bits, stop bits, and optional parity bits into the data stream which inform the receiving device when the data frame began, when it ended, and if it was transmitted with or without errors.

A message is broken up into numerous frames which are limited in their size (MTU) via bytes or ASCII characters. Each frame then receives a start and stop bit and are then transmitted.

Modems employ asynchronous communication due to their unreliable nature. Modems using an RJ-11 connector were often victim to line spikes and induced noise and would unsynch the timing signal needed for synchronous communication.

Examples of asynchronous communication include the RS-232 serial interface (commonly used in communication equipment) and V.2 modems.

An asynchronous communication service or application does not require a constant bit rate (it is variable). Examples are file transfer, e-mail and the World Wide Web. A synchronous communication service can be realtime streaming media, for example IP telephony, IP-TV and video conferencing.

Page 2 of 512345