Defeating Windows 8 ROP Mitigation

Windows 8 introduced a number of exploit mitigation features. Including a feature designed to help mitigate exploits leveraging return-oriented programming (ROP).

Return-oriented Programming is where an attacker leverages control of the call stack to execute certain machine instructions in subroutines of programs. This avoids the need for direct code injection.

Windows 8 adds a simple function in an attempt to mitigate these exploits. Every function associated with manipulating virtual memory, includes a check that the stack pointer falls within the range defined by the Thread Environment Block (TEB).

Source for an in depth look at the exploit: http://vulnfactory.org/blog/2011/09/21/defeating-windows-8-rop-mitigation/

Abusing HTTP Status Codes

The result of abusing HTTPS status codes is actually very severe. The format of this attack is fairly simple. A user will upload a picture into a website such as gmail.com on their account. Then they will enable to picture to be seen by everyone so their fore it is public. By doing so this allows hackers to almost inject different types of code into the html. This code is written in java script and can be prevented by just turning off the enabled java script option. However for a hacker this tool is very interesting. By injecting such code they can potentially tell if you are logged into a specific sight or not. They created a code that checks and sees if you are logged onto a website if not the status code returns something to the effect of “no tlogged in” if they are on the site then it will return “logged in”. This type of attack is very interesting because it is almost like a GPS tracker on your computer. The person who created the hack for better or less track a lot of your movement on the internet and ultimately stalk you. This type of script has worked with internet explorer, Mozilla Firefox , safari and chrome. This hack cant also attack Facebook users and see when they are logged on using a manipulated code but it is limited by some browsers.

https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information

SSL and TLS

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both very important to the security of the internet. They are the protocols that encrypt any secure connection between you and the server.

When you connect to the server, a “handshaking” process begins. The first step is that the server sends you its identity certificate and public key, then it asks for the same from the client. The client then responds with its public key and verifies the server’s identity certificate with the certificate authority that created it. Once this has been successfully completed, the connection can now be encrypted.

If those steps are not completed, the client can not trust the server and closes the connection.

See also:

http://technet.microsoft.com/en-us/library/cc785811(WS.10).aspx

Can’t Stop the Pirates

Constantly keeping things secure and protected is a tough job. Security applications and the like need continuous advancements as exploits are also regularly in order to thwart the efforts of security professionals.  I decided to look into the what sort of piracy protection Microsoft uses for its video game consoles and the games themselves, as Microsoft being as big as it is should have decent security. I found that, of course, they have both physical and software based protection.  One of the main sources that Microsoft draws its protection from is the Digital Millennium Copyright Act (DMCA).  The basic guidelines to the act are as follows:

·         Makes it a crime to circumvent anti-piracy measures built into most commercial software.

·         Outlaws the manufacture, sale, or distribution of code-cracking devices used to illegally copy software.

·         Does permit the cracking of copyright protection devices, however, to conduct encryption research, assess product interoperability, and test computer security systems.

·         Provides exemptions from anti-circumvention provisions for nonprofit libraries, archives, and educational institutions under certain circumstances.

·         In general, limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet.

·         Service providers, however, are expected to remove material from users’ web sites that appears to constitute copyright infringement.

·         Limits liability of nonprofit institutions of higher education — when they serve as online service providers and under certain circumstances — for copyright infringement by faculty members or graduate students.

·         Requires that “webcasters” pay licensing fees to record companies.

·         Requires that the Register of Copyrights, after consultation with relevant parties, submit to Congress recommendations regarding how to promote distance education through digital technologies while “maintaining an appropriate balance between the rights of copyright owners and the needs of users.”

·         States explicitly that “[n]othing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use… (1)”

Microsoft also has anti-piracy software in place.  One example of this is, Anti-Piracy 2.5 or AP25. “Anti-Piracy version 2.5 is the newest addition by Microsoft to detect custom DVD Drive firmware and is included in the new Kinect dashboard. This check has been included for some time but hasn’t been activated until Kinect. This authentication blocks backups from being loaded. (2)”

More and more improvements in security are needed constantly as people continue to find and create work-arounds to new defenses, even the protections that microsoft has in place have yet to and most likely will never put a stop to “pirates”.  This is why security professionals in this day and age and for a long time coming will always be in demand and  will always have their hands full.

Sources: (1) http://gseis.ucla.edu/iclp/dmca1.htm (2)http://www.se7ensins.com/forums/topic/401704-new-anti-piracy-25-information-noobs-guide/