lunes, 24 de agosto de 2015

The theory of the Dark Ether

Recently we've been doing some testing with OpenSSL and MetaProgramming, which has put us to think about the structures and the manner in which programming languages and software functions; we prove that the properties in Java classes can be modified in real time, adding or deleting flags, this left us with a question, whether this can be done, what things could be done more?

In particle physics we have seen that the atoms are formed by electrons, protons and neutrons, which in turn are composed of quarks and leptons, which are the fundamental constituents of matter, we have seen how quantum mechanics explains how operates the subatomic world, we also see that detailed exceptional properties under certain conditions for certain items, our real world is made up of particles only and is not a solid world as many believe, other physical theories argue that matter is energy vibrating at different frequencies, heat, sound, light, that made us think about whether this could apply to software and programming languages.

Which is the software: they are simply a representation of objects in binary structures of 0 and 1, which are grouped in multiple ways to run something, the software can develop in multiple forms, Linear, Object Oriented Programming (OOP), Agent Oriented Programming (AOP), Aspect Oriented Programing (AOP), Language Oriented Programming (LOP) and others.

Initially our research was to see what could be done with classes, that are already compiled into a binary, during this test created a library called #Morpher this allowed us to access a more friendly way MetaProgramming wing without writing much code, with 5 lines was possible to cover an entire class and change properties at will.

This gave us a very crazy and strange idea, what if we could create a language and / or library that could do more strange and unusual things, which were light, fluid, amorphus, unregulated, untraceable, that could change fields, methods, constructors and classes, which could be introduced in any language and / or platform, this gave us the idea of something called #DarkEther that could be a single library or a programming language.

#DarkEther This is something that could change the concepts we've had for years about the software, it seems really interesting topic, so that's why we decided to dedicate some time to this research and the possibilities this theory, if this results in what we're thinking we could probably do #BlackMagic with the software on real-time , modifying it and transmuting it into what we want, and if we mix it with IA, the possibilities would be endless, this could create new unexplored areas in computing science, security and vulnerability analysis.

If you want to move an immovable object, stop something unstoppable and change something unchangeable, you need change the properties of that element.

Dark Ether

sábado, 22 de agosto de 2015

Why my publications appear as Jheto Xekri

The reason name "Jheto": Many years ago there was a tv show called "The Highwayman (1988)", this guy is Mark "Jacko" Jackson, my old friends confuse "Jacko" by "Jheto" and "Xekri" is the last name of an old avatar, this is the reason.

Mark "Jacko" Jackson

The Highwayman Opening

Greetings to all my old friends.

Changing the Language Rules

For years we have seen countless attacks on various platforms, in this case explain one in Java, which can be reproduced in other languages ​​and platforms; all developers and security analysts take for granted the fact that if programs well your code can keep you safe, the truth is not true, everything can be transformed from something immutable to something mutable, and then changed into what you want now reflections support the many languages ​​among them are Java, JavaScript, Objective-C, Perl, PHP, Python, R, Ruby, C# and others.

Just imagine what would happen if an application could change the default Java or may access protected and hidden features, imagine that someone makes are the other way round Boolean = false true, false = true, the numbers have different values 0 = 1, 2 = 0, etc., or worse to a function FINAL or PRIVATE and it is not, is really simple, this is possible and someone will make a large scale, but it is already doing.

Below we will show some pictures that prove and describe our Morpher lib.

An class on other package

Runtime modification

Morpher library


The truth is only one, can change whatever we want wherever we want, modify constructors, methods and fields and be turned on hooking classes/methods, overwrite classes/methods and bypass more things on the source code at runtime.

jueves, 13 de agosto de 2015

The Beginning of the Age of Digital Chaos

It is well known throughout the community of security researchers in industry very bad practices are used, in the case of mobile devices 90% of applications they are vulnerable to multiple attacks scams, often large companies much development software very insecure, they are from exposing user data to expose credit card numbers, in desktop and server applications, it is exactly the same, duarante some time we have been researching about this and we have seen that there are other platforms that could be attacked, a typical case is that of the ATM, which work with Windows XP, we all know that is not the most secure operating system that has exist, investigate more on the subject and we found that there are other much more critical software that can expose much more serious things the user accounts, email or credit card, in the case of embedded systems, Cloud and RTOS.

We have been observed that, CLOUD, SCADA (Supervisory Control and Data Acquisition) RTOS (Real Time Operating System) and Embeded systems, are implemented in systems critical systems, which can trigger a global catastrophe, there are multiple methods that could be used to attack these systems.

I think these systems are fully of security flaws that nobody has seen, not even the developers know that it is there.

Speaking of bad practices carried out by industry and governments to use Windows as the operating system for critical systems, a typical example is the US government that continues to use Windows for your things, I think it's really bad to have a windows in a security agency or military department.

Moreover we have some good practices by the military industry which bases its systems on Linux platforms with DO-178B certification, this dependent nuclear reactors, missile batteries, warplanes and other military equipment critical, this left me a question, well I've seen some news about attacks on military equipment and critical systems and reactors nuclear and more, ask me something, this is really safe or people afraid make a deep analysis and find that is another system operating that can be attacked and violated ?

I know this post, many guys of DoD and other governments going to hate me, perhaps this will bring me many problems and put me in the eye of the hurricane, but my task is to create secure things, improve the software and expose those that are not already received some messages about this, few other former military and civilians.

For a long time we have seen how hack cars, cell phones, PCs, servers and am 100% sure that this also applies to embedded systems, CLOUD, SCADA and RTOS. 

Which is an RTOS: it is basically a linux that works in real time and some versions are safer than others, some designed to never collapse and some not so, but basically it is a linux that works with binary ELF (executable and linkable format) and these binaries either way can be attacked.

Initially we have been working on a project called #VectorAttackScanner which will be the first product of our company Vector Xtreme Technologies (VXT), which was initially centered on the detection vulnerabilities in mobile devices and operating systems such as Windows and Linux, started this project because they all know that there are guys who can violate the security of memory protections such as RELRO, PAX, ASLR, DEP, PIE, NX, SSP, StackCanary among others more, because we think that a small idea, what if we create something that tells us where we can attack and that you should be improved so that they do not, and that's what makes our tool.

For all these reasons we have decided to expand our target to the analysis of SCADA, embedded systems, RTOS and CLOUD, to provide a tool for the analysis of problems in critical systems, we do not want one of these days, get some crazy and give him by blowing a pair of nuclear reactors or just trigger a third world war, we all know that in this world there are motherfuckers get up every day looking forward to watch the world burn.

Only two things: are just busting software that is poorly developed and that all ensure that something is safe does not make it safe, so have all certifications in the world.

By Jheto Xekri