SecurityFocus

Binary Analysis with Internal Solutions Jul 24 2012 03:14PM
nschroedl mtiorg com (3 replies)

RE: Binary Analysis with Internal Solutions Jul 24 2012 04:35PM
Simon Thornton (simon thornton info) (2 replies)

RE: Binary Analysis with Internal Solutions Jul 24 2012 07:30PM
Mikhail A. Utin (mutin commonwealthcare org) (2 replies)

RE: Binary Analysis with Internal Solutions Jul 25 2012 09:00AM
Simon Thornton (simon thornton info)

RE: Binary Analysis with Internal Solutions Jul 24 2012 07:43PM
David Gillett (gillettdavid fhda edu) (1 replies)

RE: Binary Analysis with Internal Solutions Jul 25 2012 08:25AM
Simon Thornton (simon thornton info) (1 replies)

RE: Binary Analysis with Internal Solutions Jul 27 2012 02:44PM
Mikhail A. Utin (mutin commonwealthcare org)

RE: Binary Analysis with Internal Solutions Jul 24 2012 05:56PM
Nick Schroedl (NSchroedl mullen-group com) (1 replies)

Thanks everyone for your input! With the human resources that we have
already + the qualitative assessment that was done + the relatively small
amount of binaries I believe that we have a strong case to justify the time
and money for this addition to our solution.

-----Original Message-----
From: Simon Thornton [mailto:simon (at) thornton (dot) info [email concealed]]
Sent: Tuesday, July 24, 2012 10:35 AM
To: security-basics (at) securityfocus (dot) com [email concealed]; Nick Schroedl
Subject: RE: Binary Analysis with Internal Solutions

Hi Nick,

NS> "Should binary analysis (i.e. reversing and fuzzing) be part of an
NS> internal vulnerability and pen testing solution?"

You are asking about two different activities with widely different
requirements in terms of the time and potentially resources needed. Fuzzing
is the simpler of the two exercises and can be automated, often used as part
of pentesting exercises. Reverse engineering is largely a manual process and
can be significantly more challenging and time consuming.

Part of the answer depends on the perceived attack surface (the risk of an
attack) and the impact a successful compromise would have. If this is an
internal application on a closed network not connected to the internet then
it may be worth it. If however this application contains data covered by
regulatory compliance and/or legal requirements (privacy laws) and it is
exposed directly or indirectly to the internet then this is different.

Start with a simple risk assessment, considering the data (classification)
processed by the application, location of the service, who accesses it etc.
This should give you an indication if you need to consider more in-depth
analysis. To go as far as reverse engineering would normally be predicated
by an event which cannot be explained by looking at source code, logs etc.
Examples might be

- if a security incident or breach occurred which could not be explained by
other analysis.
- Another example might be a requirement (legal/regulatory) that all
applications used strong ciphers or long key lengths and the source code was
not available.

My experience; most of the time reverse engineering is not justified from a
cost/risk perspective. Fuzzing interfaces can detect functional bugs not
caught through normal testing. Whatever the source of a vulnerability or
issue the risk (impact/exploitability or impact/likelihood) needs to be
addressed.

Simon

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of nschroedl (at) mtiorg (dot) com [email concealed]
Sent: Tuesday, July 24, 2012 17:15 PM
To: security-basics (at) securityfocus (dot) com [email concealed]
Subject: Binary Analysis with Internal Solutions

Hello everyone,

A debate has been started in the office that I work in over
this question.

"Should binary analysis (i.e. reversing and fuzzing) be part of an internal
vulnerability and pen testing solution?"

There is mission critical custom in house software solutions
deployed here. My opinion is Yes, but others say it is a waste of resources
to go this deep into offensive security. Please send your comments, and
opinions so that I can either win/loose this debate.

Nick Schroedl

0? *?H?÷
?0?10 +0? *?H?÷
?30?60? 0
*?H?÷
0o10 USE10U
AddTrust AB1&0$UAddTrust External TTP Network1"0 UAddTrust External CA Root0
000530104838Z
200530104838Z0o10 USE10U
AddTrust AB1&0$UAddTrust External TTP Network1"0 UAddTrust External CA Root0?"0
*?H?÷
?0?
?·÷3æò-9àN[í¼lÍµú#¶ÎÞ?3?¤)L}??½J¼?íãÏåmPZÖ?)?Z?°IzÛ.?ý¸Ê¿78-
>?ApVÇðO?è2?tÊÈTéÆ_x?@<¬aª^??¡jPÜ×?N¯³¦q??q³P`
Ç8?¨é¨i&«L°O#«:O?ØßÎ?áio»×B×kDäÇîmA_rZq7³ye¤Y ?7÷/
Â?rÚÐ8rÛ¨EÄ]*}·´ÖÄî¬ÍD·É+ÝC%úa¹ijX#·§3VuYõÍ)×F·
+e¶ÓBo²¸{ûïé]SÕ4Z'£Ü0Ù0U½?z4´&÷úÄ&Tï½à$ËT0U
0Uÿ0ÿ0?U#?0??½?z4´&÷úÄ&Tï½à$ËT¡s¤q0o10 USE10U
AddTrust AB1&0$UAddTrust External TTP Network1"0 UAddTrust External CA Root?0
*?H?÷
?°?à?%ÂÖ#â??A??Ù?yÙ[#6e°Øw»¬AlG`?Q°ù2=çüö&Ç?¥¿Zü?Ïxy?!?
âL
?5¼òÞQÄÒ?·Ü~Nîpý9ëQ-?½àÁßFuç$ìôB´??pgº5JÓ+zÌQB¡zcÑæ»¡Å+Â6¾
æ½c~y{§
@«jÝ?Ãöö?BQÔEõ?§b!h C<?ç|½$Ø©?s??V18´q?ÍÈ??.á???Ë1ñDLÆsIv`Çø½?k.éÌLZ?y
.Õ?c&U??Ø?Z{Ð¼ÇN?0?0?? 4=é+¬'4ÿË4?ûÌpT0
*?H?÷
0o10 USE10U
AddTrust AB1&0$UAddTrust External TTP Network1"0 UAddTrust External CA Root0
050607080910Z
200530104838Z0®10 UUS10 UUT10USalt Lake City10U
The USERTRUST Network1!0Uhttp://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email0?"0
*?H?÷
?0?
?²9?¤ò}«A;bF7®ÍÁ`u¼9eùJG¢¹ÌHÌj?ÕM5¹¤BåÎIâ?/|Ò1ÇN´?d.)Õ¢dÄ?½?Q5y¤
Nh{z¤?¨ò?ò?ÌÉ¤2?»O0½? ?ån¢Fúx¼¢o«Y^¥/ÏÊÚmª/ë¬¡³jª·.g5?yái?âæFÍ ¥ê¾Îv:z?êüÚ'[=s"æHaÆ
Lói±¨.¶Ô1 ,¼???¤¥×?CüZ¯q×YÚº?
¯úóáÂð¤Åg?ÖÖT:Þ
¤ºw³eÈýÓtbªÊh?¡?~õGeËøMW(tÒ4ÿ0¶îöb0?,ë£ô0ñ0U#0?½?z4´
&÷úÄ&Tï½à$ËT0U??g}Ä&pK´PH|Þ=®n}0Uÿ0Uÿ
0ÿ0U
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
+)0'0%+0?http://ocsp.usertrust.com0
*?H?÷
?¼?ãc(°ó1Âß{Ýb #1??sSQêLúÖ?ÄÊ/g~x3t¹???õ?&údpØùbP??ÔÚ
õ#Û4»?V´p4nx?7?Å?_?½¬jýñÂÑÌ?_±|ð>Qò5ó|ì`?k:+àïß³}?ëµõ[ì¢|?×P¹Ñ-sÞ
xtá?1^Ë?¹?Æ¹?7urÜDûgèðú%R§Ú%éGà Ç< N±
6ûwH?ï??û´þã?¨?¼\-?Ò`q`îÂq?é?6ãÚ ´£ lª?K¸??uÊIö;ºßÜÙ?Ûà²æM x&çç-n_Æ?0?0? mê§Oj3"æ"2zªqÞ
0
*?H?÷
0®10 UUS10 UUT10USalt Lake City10U
The USERTRUST Network1!0Uhttp://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email0
110428000000Z
200530104838Z0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA0?"0
*?H?÷
?0?
????[KW?Ô^/?¤á@È£SX_feñ2N÷?2}UÐxLU·B?àù'qÅÆi¤¹2Äñ@Ì'Vbµqi®å äËc^`Ê¢Aöjá£ÿ¸ßHmeC?*.+c8wß±¬ÂÚ?ÖÔ2jÔgo \5úåT?¯Øq
7
PSl?©´??Y1ÿ ¢ÒLÜRÛÞâ@[HhÝÅJ´àí$:¯q_ã¬¿;°%qh=ôÖXF<h???mz!Wæ4°Û2~ãJá¥Rrd&?N¥?
ÿà±`ýohQ?c?¥ÌB??}"cÓ© üÎ?ßDô\[5ºó§?ÿÁ£?K0?G0U#0???g
}Ä&pK´PH|Þ=®n}0UzNt[Æxcd'Á/â [¼yÅ{0Uÿ0Uÿ
0ÿ0U
00U 0XUQ0O0M K I?Ghttp://crl.usertrust.com/UTN-USERFirst-ClientAuthenti
cationandEmail.crl0t+h0f0=+0?1http://crt.usertrust.com
/UTNAddTrustClient_CA.crt0%+0?http://ocsp.usertrust.com0
*?H?÷
??Ö¾xWUm3DRþBÕ¨??û
²ýJ¿ö¯AIõZÅÒsn>é&|æL?Á0(ßËûB<¡%>
uÖÐ=9?fÑ¡?µM?o¯(l¯åêtZ¨Ú±Àñuz/?º?yÊþâ?Vt²øÓàCríý`9 Gû?¯:eH<?=¥%¿½ï`àIåÈë?C?ðàî
ÁÓÍ3_?Ð½`j³;þúÔÉ:<í?ÿ?I3¾B)9?î3i.?EM¨iÚ?=Ò]|G?¥?m??Ö]W§0¾KID¸~
ÊÑy8ë´3ú :]&X?aU´!Õ?ÕàC@B0¾ê¥ç?Ò°þóuùnç0?60? éyZ?÷)
£øö6a\WV0
*?H?÷
0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA0
110725000000Z
120724235959Z0+1)0' *?H?÷
nschroedl (at) mullen-group (dot) com0 [email concealed]?"0
*?H?÷
?0?
?¦?ô ©?õ¼÷åµÖ|·¿.öànÅ©DaèÏø?ØÔ?ßb?ÜoåTPýp¯De?²IÜºªÂô¾óø& ë*·$
¤q?ÅZÈ·Ë
~
R(w?ýI?§?°ir?½Ûu[88ë?«?â??ä7t
áï,?dpú?_A¡&r·XÃ§WÎÕ?¹w<?z)¾7ñ>rcJÁýùä°Ç¥uÕ^Bxù7m$lo#>?n±Î+ÁÎ
??lêu?¬³tOP> "ñÎ?gë?&ÍjåfÆßÃÕ?[î&Ïäøì?³ûõúIwxJäøÃ£?ê0?æ0U#0?zNt[Æxcd'Á/â [¼yÅ{
0U¼{ÓÙo¶iëQ]¬"ÕôtáN0Uÿ 0Uÿ00 U%0++²10 `?H?øB 0FU ?0=0;+²10+0)+https://secure.comodo.net/CPS0WUP0N0L J
H?Fhttp://crl.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.c
rl0?+|0z0R+0?Fhttp://crt.comodoca.com/COMODOClientAut
henticationandSecureEmailCA.crt0$+0?http://ocsp.comodoca.com0%
U0nschroedl (at) mullen-group (dot) com0 [email concealed]
*?H?÷
?J$h]v:Ú¤´ÚúÇKY?ãd`Y¿)ÄSW¨ºÓ?+[?%ZU¯?·H?Éaç}? î?Qò^@*©àëÐãqTÀt
EîiÅÛO*!=Egîë}2øêðm;Bs9ºBT, ?½"ì|?¡wêÿ};?¹¬ ?¾?#>µ|6?<¹?&ñ?fpr??JHiÌÙxm!kzOë°_?<pÇVq?vs7øñÂîß¿ÓÆÂôÙCêx?ÍuÞ¬ÙäIhì
¤§;%Kö,!h×?Ü?Nð9q
_³lÙÿmJñY+3Õà}×Òu?êZlÑòªãõº¬?J?Òóóóú?Á51?\0?X0©0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CAéyZ?÷)
£øö6a\WV0 + ??0 *?H?÷
1 *?H?÷
0 *?H?÷
1
120724175613Z0# *?H?÷
1?¥-ô:cý?? &ÿá?0« *?H?÷
10?0 `?He*0 `?He0
*?H?÷
0 `?He0*?H?÷
?0+0
*?H?÷
@0
*?H?÷
(0+0 `?He0 `?He0 `?He0º +?71¬0©0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CAéyZ?÷)
£øö6a\WV0¼*?H?÷
1¬ ©0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CAéyZ?÷)
£øö6a\WV0
*?H?÷
?F?¨ t²?I5É=ßäòî®F?ÌáÚJû±*<L\~ÃvÂ?ôìà/ÏÔc?þì?~Nü?¾/àÿÐ[?XÊö·?t*¡°
$¸µ0d¶×5âdAßÐÔY#å?(È`j*?ºfÓ²?q(?Í¨ju?6$CøØnÒ??Úà/ò9Ì*´!?âß£«ËØ
]Çù?s÷8¯½É;bïvWÁ?»_5f>ê¸"úy; x£'{¤?L2ö#0jY¢Ô¯|f¤úqdqÅÿ&?g@X©?¢?ç?ÕÀÿÕu8À)µ[Ý;V£oEÏ= ?*®ò.²ùÑN¸?¹?ND

[ reply ]

RE: Binary Analysis with Internal Solutions Jul 25 2012 12:29AM
Pranav Lal (pranav lal gmail com)

RE: Binary Analysis with Internal Solutions Jul 24 2012 04:13PM
Ward, Jon (Jon_Ward SYNTELINC COM)

RE: Binary Analysis with Internal Solutions Jul 24 2012 04:08PM
Mike Vella (mike bakerross co uk)