Fascinating attack on gapped networks

Last week, Adi Shamir gave a presentation at Black Hat Europe on using all-in-one printers to control computers on the other side of air gaps.

Theoretically, if a malicious program is installed on an air-gapped computer by an unsuspecting user via, say, a USB thumb drive, attackers should have a hard time controlling the malicious program or stealing data through it because there is no Internet connection.

But the researchers found that if a multifunction printer is attached to such a computer, attackers could issue commands to a malicious program running on it by flashing visible or infrared light at the scanner lid when open.


The researchers observed that if a source of light is pointed repeatedly at the white coating on the inside of the scanner's lid during a scanning operation, the resulting image will have a series of white lines on darker background. Those lines correspond to the pulses of light hitting the lid and their thickness depends on the duration of the pulses, Shamir explained.

Using this observation the researchers developed Morse code that can be used to send pulses of light at different intervals and interpret the resulting lines as binary data­1s and 0s. Malware running on an air-gapped system could be programmed to initiate a scanning operation at a certain time -- for example, during the night -- and then interpret the commands sent by attackers using the technique from far away.

Shamir estimated that several hundred bits of data can be sent during a single scan. That's enough to send small commands that can activate various functionality built into the malware.

/ /Source

Tip: restore privacy to Mac OS X Yosemite

If you've upgraded to Mac OS X Yosemite (10.10) and you're using the default settings, each time you start typing in Spotlight (to open an application or search for a file on your computer), your local search terms and location are sent to Apple and third parties (including Microsoft).

Washington Post

“Once Yosemite is installed, users searching for files – even on their own hard drives -- have their locations, unique user IDs and search terms automatically sent to the company, keystroke by keystroke.”

To fix this either follow the link to download their python script or follow the steps:

  1. Disable "Spotlight Suggestions" and "Bing Web Searches" in System Preferences > Spotlight > Search Results.
  2. You'll also need to uncheck "Include Spotlight Suggestions" in Safari > Preferences > Search. Safari also has a "Spotlight Suggestions" setting that is separate from Spotlight's settings.

The Real World is a Special Case

Over the weekend we had to respond to a call from a customer. The Team not only provides Red Teaming services, but we can act as first responders due to our experience in digital forensics as well.
This particular customer had a breach via one of his new suppliers. One we hadn't tested yet. We work very closely with this customer and every time a new service or supplier is brought on board, we provide the initial security and threat asessment. In this case, we hadn't have the chance to test them. The supplier, we learned during the weekend, was wide open to attacks.
The Team is now helping mitigate the issue with the supplier, while our customer's CERT is looking into their own networks and systems.

All this brings me to a very simple truth that I've mentioned before many times: the real world is a special case.

The real world is more complex than your testing lab. The real world doesn't obey the rules you impose. The real world is not a vacuum, like most security certifications will have you believe. The real world behaves following its own chaotic rules, or lack thereof. If you try to plan for it, set your defenses only once and call it a day, the real world will eat you alive.
Attackers, adversaries - the bad guys - don't play by your rules. They play by their own and, like the numbers of adversaries, these come in many shapes, colors and intensity. If you think you know your adversary and plan for it only once, based on only one assumption... Well, you are not thinking straight.

The real world is a special case.

More and more we are seeing the increased complexity of the adversaries. Whether it is nation sponsored, crimilar or simply curiosity, the new breed of attackers don't get stuck trying to find the right exploit for your firewall or web server, they just go around them, they find the weak links somewhere else. And yes, more often than not the weak link is the people that provide you with services, the suppliers, the partners...
Do they know your adversaries? Do you know their adversaries? When it's the last time your partners had a security assessment done? How often they do it?

Are they compromising your security posture? A posture you worked hard to build and implement?

Always cover your angles. Never assume, always verify.

Yes, the real world is a special case.


Plan Execute Vanish

Plan, execute and vanish. These 3 words should tell you how to go about doing your business. Just figure it out, make it happen and then leave... No trace.

This is the last Red Teams shirt that will be printed. No more shirts, so you better get it while you can. The goal is set low, 50. I'm sure you will find a good option, either a T, or a long sleeve or a hoodie. There are different colors as well. I am getting 7.

And some of the old shirts can still be ordered if enough people want them.


So true...

"RTJ Red Teaming Law #39 (“Ark”): It’s our sad experience that most people don’t think about red teaming until it’s already been raining for 39 days. The forecast for today is..."

This is one of those simple truths that unless you are told about it, you will always fail to see it.

Thank you Red Team journal for pointing this out.


Introducing Guerilla Red Team

We are lucky to have met a lot of really cool people during the past few years. Special operations, law enforcement, blue teams, hackers, emergency response teams, and many more.
These guys have a lot of cool stories, some of them we were part of as well. And they want to tell those stories.

So, in a few days we'll be launching a new part of the blog that we began calling Guerilla Red Team. The name, like most names, just came out during a discussion and well, it stuck.

This part of the blog will have stories from other red teamers, security teams, military units and law enforcement where either our Red Team was involved or the main story includes a Red Team or Red Teaming.

Now, we also want to hear from you. If you have a Red Teaming story, please send it. Please sanitize it, any OPSEC violation will trash the story. If you want to send along a picture with it, wait until we reply to you and attach it to the email.
What can you send? Any personal story recounting your Red Teaming experiences, or experiences with a Red Team.

So, while we compile some of the stories from our friends, send yours.



Digital tools

Most of you know many digital tools for recon, exploitation, etc. We've mentioned some here in the past few years as well. Of course, for distributed Red Teaming, one of my favorites is still Cobalt Strike and its underlying Metasploit.

There is a relatively new one (well, it's been out there for a while) that we have been testing lately, and while it is still a work in progress, it shows a lot of promise: the BeEF Project.

BeEF, or Browser Exploitation Framework, focuses on attacking and exploiting the web browsers: "BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.".

You can read more about it and its architecture here, but it has been really useful to have it. It can be combined with Metasploit for a great set of web browser attack modules.

We'll continue to play with it.