   |
|
Navigation
|
Welcome to Clear Hat Consulting, Inc.The growth of the internet and an increasingly globalized economy have resulted in rapid advances in information technology. Unfortunately, there have been equally rapid advances in malicious code technology. While host based firewalls, antivirus, and intrusion detection systems have made significant improvements in both technology and scope of deployment within the past few years, many of these products are remain inadequate against more advanced forms of stealthy malware including rootkits, trojans, and backdoors.Stealth malware may covertly exfiltrate sensitive information and undermine data security of both companies and government infrastructures. Furthermore, the loss of sensitive data has been recognized as a growing problem from the standpoint of regulatory compliance. In recent years, there has been an increase in government and commercial regulation mandating increased control over sensitive information. These include the US Health Insurance Portability and Accountability (HIPPA) act pertaining to the disclosure of medical records, the Gramm-Leach-Bliley Act’s Financial Privacy Rule which governing disclosure of personal financial information by financial institutions, and the Payment Card Industry Data Security Standard (PCI DSS) which provides guidelines to help organizations that process credit card payments prevent credit card raud and other security threats. To address these growing concerns, Clear Hat Consulting was founded in 2007 by Sherri Sparks and Shawn Embleton. Clear Hat Consulting is dedicated to assessing security risks in emerging Operating System and hardware technologies and aiding in the development of advanced and / or custom security tools. We also provide reverse engineering / analysis of advanced Windows malware and custom technical trainings and seminars to help clients understand both stealth malware techniques and the counter-techniques used to defend against them. Trainings or seminars can be tailored to from basic overview to highly technical, depending on your needs. (5/12/2008) "Hacker's Find a New Place to Hide Rootkits"Check out the article about our upcoming SMM rootkit talk over at PCWorld.(5/10/2008) Upcoming Black Hat 2008 TalksThe Clear Hat team will be presenting on two topics at the Upcoming Black Hat security conference. The abstracts are listed below:A New Breed of Rootkit: The SMM Rootkit Virtualization rootkits have been a hot topic for the past couple of years. In this talk, we will discuss a new type of malware with potentially even greater stealth: The System Management Mode (SMM) Rootkit. System Management Mode, a relatively obsecure mode on Intel processors, provides an isolated memory and execution environment. SMM code is invisible to the Operating System yet retains full access to host physical memory and complete control over peripheral hardware. We will demo a proof of concept SMM rootkit that functions as a chipset level keylogger. Our rootkit hides its memory footprint, makes no changes to the host Operating System, and is capable of covertly exfiltrating sensitive data across the network while evading essentially all host based intrusion detection systems and firewalls. Deeper Door - Exploiting the NIC Chipset In this presentation we will discuss a couple of significant problems in existing IDS / Firewall technology and present a proof of concept "chipset" level rootkit / network backdoor that is capable of bypassing virtually all host based firewall and intrusion detection software on the market. These, of course, include popular, widely deployed software like Snort and Zone Alarm Security Suite. Our backdoor operates at an even deeper level than previous backdoors (e.g. Joanna's "DeepDoor" rootkit) because it interacts directly with the chipset interface of the NIC hardware. Capabilities include the ability to both covertly send AND recieve packets. We use both of these capabilities to implement a simple command and control interface. Implications for security vendors include the exfiltration of sensitive information and delayed detection of malware threats like DDOS attacks, Botnes, and Worms. (8/3/2007) VMM Rootkit Framework ReleasedCheck out our barebones Virtual Machine Monitor rootkit framework released at www.rootkit.com. |
