BO2K Byline
0 likes196 views
Drew Williams attended DEFCON 7 where over 2,500 people discussed various cybersecurity topics such as cryptography, business security parameters, cyber forensics, and intrusion detection systems. A Microsoft spokesperson defended the company's security practices but attendees estimated only 5-10 engineers actually review code for security issues. DEFCON also featured a panel on security trends with officials from the Army and White House, though attendees were cautioned against giving out contact info. Cult of the Dead Cow unveiled an updated remote administration tool called Back Orifice 2000 which could infect Windows NT systems and allow privileged access through email. While proponents argued it had security uses, critics viewed it as a serious risk that could be modified by hackers.
BO2K Byline
- 1. Diary of a DEFCON Delegate Drew Williams Co-founder, Information Security SWAT Team AXENT Technologies Greetings from a flood-ridden Las Vegas, where the rain is pouring like quarters in so many slot machines. This is the third year of Black Hat and more than 650 people are in attendance. On top of that, more than 2,500 people are expected for DEFCON 7. People presented on a number of critical topics such as: Cryptography, Regulating/Suggesting Parameters for Business Security, Cyber Forensics, "Competitive Intelligence,” Putting Intrusion into IDS, Scanning: A Taxonomy of security testing, 1000 Hackers in a Box: Failings of Security Scanners, Security Issues with IIS 4 Servers, and How Responsive are Security Vendors to Security Problems. Dr. Mudge of L0pht made the Keynote address about jointly developing a new shareware tool called “AntiSniff,” working with NFR’s Marcus Ranum. In one of the security sessions, a Microsoft spokesperson responsible for "Security@Microsoft.com" gave a party-line presentation, and then proceeded to take questions about the security of the 25+ million lines of code in NT. As explained, "Microsoft views BO2K as a malicious program and not as a vulnerability that's been cracked." After enough people QA'd him from a "weeds-perspective" I posed the question, "How many security-trained, security-conscious developers does Microsoft employ for code-level engineering?" He replied, more than 200 security experts with a PhD in cryptography, and other various trained folks. Doing the math with fellow attendees, we removed the technical support, QA, those two PhDs in Cryptography, and the other scope-creep factors, and came up with a rough actual estimate closer to five to 10 engineers who actually look at code from a security perspective. This weekend's annual DEFCON hacker convention drew more than 2,000 computer hackers, security experts, and federal officials from as high-ranking as the White House, who assembled to discuss the latest trends in security exploits. One of the three-day conference break-out sessions included a panel discussion with security officials from the Army and the National Security Council, which afforded a room of more than 500 hackers to field questions and commentary. Note: Never give out your e-mail address to a group of hundreds of computer hackers—especially if you’re a White House “Security” Director! Another session highlighted the unveiling of California-based hacker group Cult of the Dead Cow's (cDc) newest version of "Back Orifice 2000 (BO2K). As a follow-up to last year's Back Orifice, this new version provides NT users with the ability to operate at a "Privileged" (Administrator) level—remotely (e.g., "RegEdit 32", remote file tree management, etc.). The boldness from such hacker organizations as cDc-and the more prominent Boston-based L0pht Heavy Industries, have fueled the cyber conflict between U.S. officials, software giants such as Sun and Microsoft and hacker groups. These groups are doing a great deal of noise-making. And most of the participants that are here--like I see every year--are punks drawn together like a frat party gone bad. But the good news is, among the noise, there's some real value within the ranks, and the software vendors (like Sun and Microsoft), government agencies--including some of our own customer base--and the security vendors and our partners are starting to pay more attention to what these groups are saying.
- 2. In the case of the BO2K program, this is an open-source architecture, which is being hawked as a value-added tool that addresses both the productivity and security levels of any organization that depends on the NT operating system. Anyone can download the actual code directly from the cDc Website, and review it and its security safeties. What's different is that the BO2K server can be easily sent as a less than 100K e-mail attachment. Once in naive users' hands, the attachment can be opened and infect their systems without the users ever knowing they've handed over the keys to their system to a stranger. I expect Microsoft to look at BO2K as a high-level security risk—and they should. Conversely, this was proclaimed by the cDc as a tool that IT administrators who are responsible for mostly remote networks can use to help (transparently) “enable” their administrative tasks. But hackerware is hackerware, and most of the virus groups will take a strong countermeasure against it, as will the security vendors. So what does BO2K have/do? Has Open Source Architecture. This is big news and what security companies should be concerned. Everything else, for one argument or another, is probably something that has already been devised--either commercially, or through share/freeware. Open Architecture means anyone can strip out the default settings and commands and put their own into the tool Supports Triple-DES encryption (yes, it's a restricted export encryption). Ability to plug in your own authentication/encryption "stuff." Enable all connections to be encrypted, including password requests, etc. Designed to move data through secure connections. Has a plug-in ("Butt Plug"), which is a small set of core BO2K source. Designed for NT Includes a PWDump-style utility for NT. Includes extended Registry Key editing--remotely. Has a smaller footprint (113k). Uses less than 2MB RAM. Looks like SMS, acts like SMS, but is risky to detect. Has built-in TCP & UDP connections. Includes session-based architecture, which enforces session sequencing on reliable protocols. Has a remote desktop interface plug-in called "BO-peep," which allows the user to see the target desktop in clear stream. Has a remote Registry Editor which allows the user to surf remote machines and create values for registry keys. "BOSOC 32" allows packets to be reordered. cDc akin this to a "clean set of TCP functions in a UDP setting" Here are some other highlights: The cDc and distant colleagues at L0pht Heavy Industries, teamed up to create a remote file browser, which allows the user to access directory trees from remote locations for dragging and dropping files--even through encrypted tunnels. This isn't necessarily a new utility, but it's still interesting.
- 3. With BO2K's source code released under the GNU Public License, you can also expect to see numerous BO2K variations. Further complicating matters: BO2K is designed to be plug-in extensible. How can organizations detect and locate BO2K in an NT environment? My baseline concern is fourfold: 1. How can a vendor’s products detect BO2K? 2. How can we locate where the incursion is originating? 3. What would be the defense against our countermeasures? 4. What are the other security vendors likely going to address as they make boasts in the media over this? Issues like high and low entropy, weak algorithms, credential checking, and other technotalk bounced around among the conversations. Here are some suggested approaches (aside from looking at some of the antivirus folks for partial solutions): 1: Detection Use IDS solutions to monitor for encrypted traffic. Isolate the encrypted traffic and challenge its validity. 2: Location Identify the device(s) on which the encrypted traffic originated. Inquire as to the purpose for the encrypted traffic. 3: Countermeasure Stop using the encryption settings in BO2K and run it "naked" –so to speak. The last, but far from least, of your security concerns about BO2K is that this program enables a BO2K cracker on NT systems to make any directory shareable. Adding to the dilemma that this is an open architecture application, the resulting “spin-offs” will evolve, based on the time, resource, knowledge base and imagination of any hacker. To say that this can mean a security nightmare is an understatement.