Novetta

NOVETTA NEXUS
Cyber Security

Emulating Embedded Linux Systems with QEMU

Category: Cyber Security / Novetta Nexus Tag(s):  /  /  /  /  /  /  /  /

by

This blog is the second post in our Embedded Linux Device Security Research series. In the first post, Emulating Embedded Linux Applications with QEMU, we covered some commonly used tools and discussed using QEMU in user-mode to emulate a single binary. This post covers how to use QEMU in system mode to create a VM to emulate the target device. When emulating individual binaries doesn’t cut it, you can run QEMU in system mode to emulate an entire OS. From the previous post, we know that the D-Link DIR-866L is a MIPS device, so we will use the qemu-system-mips emulator....

Read More

Emulating Embedded Linux Devices with QEMU

Category: Cyber Security / Novetta Nexus Tag(s):  /  /  /  /  /  /  /  /

by

Recently Internet of Things (IoT) device security has come into mainstream focus. With the rise of IoT botnets (like Mirai), IoT devices are receiving increasingly more attention from both attackers and security researchers. For people new to the world of binary exploitation, many embedded Linux devices are an attractive target to learn various vulnerability research techniques. Most embedded devices lack the security features of modern Operating Systems (OSs), such as memory protections (Data Execution Prevention (DEP)/exec-shield/etc; basically W^X page permissions), stack cookies, strong Address Space Layout Randomization (ASLR) and control flow integrity solutions (such as CFG). The lack of protections,...

Read More

OpenSSH: The New Swiss Army Knife

Category: Cyber Security / Novetta Nexus Tag(s):  /  /  /  /  /  /  /  /

by

Forwarding ports, transferring files, and creating encrypted tunnels with OpenSSH While OpenSSH is best known for providing secure remote login (ssh, slogin) and file transfer (scp, sftp) capabilities, it is capable of doing a lot more. In this post, we will discuss using the OpenSSH client to create proxies and forward ports (over encrypted tunnels). For a deeper dive into functionality, explore the ssh man page. Local Forwarded Ports Imagine the following scenario: You’re at home and want to connect to a MySQL database at work. Let’s further assume that the network access is controlled through a bastion host running...

Read More

Scale Vulnerability Research using Modern Fuzzers

Category: Cyber Security / Novetta Nexus Tag(s):  /  /  /  /  /  /  /  /  /

by

Finding vulnerabilities in software is a challenge. Traditionally, it requires skilled engineers to manually reverse engineer software at the assembly code level to finds flaws. While this approach is often successful, it’s hard to scale. Skilled engineers are sparse, and, even if that weren’t an issue, the cost of additional manpower could be prohibitively expensive. A common solution to scaling vulnerability research is to automate with software. Often referred to as a fuzzing framework, this software sends different inputs to a target binary while it’s running, hoping to crash it. If a crash is detected, the input causing the crash...

Read More

Is Anyone Safe from Meltdown and Spectre CPU Vulnerabilities?

Category: Cyber Security / Novetta Nexus Tag(s):  /  /  /  /

by

On 3 Jan 2018, Google’s Project Zero team published information regarding two critical vulnerabilities named Meltdown and Spectre which affect virtually all modern Central Processing Units (CPUs). Cloud service providers like Microsoft Azure and Amazon Web Services (AWS) may also be impacted by these vulnerabilities. Meltdown (CVE-2017-5754): This vulnerability breaks the most fundamental isolation between user applications and the operating system. It allows a program to access the memory address space of other programs and the operating system. Desktop, Laptop, and Cloud computers may be affected by Meltdown. Every Intel processor since 1995 (except Intel Itanium and Intel Atom before...

Read More

Five Reasons Why Operation Blockbuster Matters

Category: Cyber Security / Novetta Nexus Tag(s):  /  /

by

On Wednesday February 24th Novetta released  Operation Blockbuster, a report that  describes how a Novetta-led coalition of private industry partners Novetta’s Threat Research & Interdiction Group (TRIG), identified and interdicted the adversary behind the Sony Pictures attack. This effort is the culmination of more than a year of research and reverse engineering by many skilled professionals with the goal of devising ways to disrupt  the tools and techniques of the threat actor group to collectively protect our customers. If you haven’t yet seen this report, there’s a friendly two-page executive summary at http://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Ex-Summary.pdf and the full report is at http://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf....

Read More

Operation Blockbuster: Unraveling the Long Thread of the Sony Attack

Category: Cyber Security / Novetta Nexus Tag(s):  /  /  /

by

Operation Blockbuster is a Novetta-led coalition of industry partners created to identify and disrupt the malicious tools associated with the threat actor behind the November 2014 Sony Pictures attack. We began researching last year by identifying several malware hashes publicized by the security community following the SPE attack. From these hashes, we were able to establish a baseline of the malware capabilities, as there were common code and libraries being used in the malware samples. From these common snippets of code and use of library functions, signatures were generated to detect additional malware samples using both proprietary tools and Totem,...

Read More

Cybersecurity Ventures Ranks Novetta in Top 100 on Cybersecurity 500 List

Category: Cyber Security / Novetta Nexus Tag(s):  /  /  /

by

We’re honored to earn a spot in the top 100 of Cybersecurity Ventures’ Cybersecurity 500 List for a second consecutive quarter. The number and severity of breaches is increasing rapidly year over year, while industry analysts are growing less confident about whether their company’s security posture can effectively prevent or respond to cyberattacks (according to Black Hat’s 2015 Attendee survey). Accolades are always welcomed but we know there’s still considerable, important work to do. The cybersecurity industry has an overwhelming number of vendors, all claiming to ‘secure the network’ using a variety of different and often conflicting tools and methodologies. At Novetta,...

Read More

Advanced Methods to Detect Advanced Attacks: Unknown Service

Category: Cyber Security / Novetta Nexus Tag(s):  /  /  /

by

This post is the tenth and last of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. In this final post, we’ll see a security solution capable of separating normal well-formed traffic from abnormal attacker traffic by looking at network data only. And we’ll see why that is useful. Joe: Hey Bob, 10.217.145.233 is sending a lot of traffic on port 80.Bob: So…web traffic. Why did that...

Read More

Advanced Methods to Detect Advanced Cyber Attacks: Two Degrees of Separation

Category: Cyber Security / Novetta Nexus Tag(s):  /  /  /

by

This post is the ninth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. Today we’re going to look at how to start playing Six Degrees of Kevin Bacon with network traffic for the purpose of efficiently executing a network security investigation. In the Computer Network Defense version of Six Degrees, we’re looking to link network hosts together based on who they’ve exchanged traffic with (vs. starring in...

Read More