The conference SOURCE Barcelona 2011 is already over. Waiting for my flight back to Belgium, it’s time for my wrap-up! This year, an OSSEC training was initially scheduled with my friend Wim Remes but it was cancelled due to the lack of registrations. It looks that “defensive” security trainings do not have the same success as “offensive” ones. It could be interesting to analyze why! Anyway, we are ready to give the training during another conference, just contact us! (personal marketing Being free, I proposed my services to the SOURCE organizers as volunteer.
After a smooth flight to Barcelona, I arrived on Tuesday evening just in time to take part to the speakers party at the apartments reserved for the conference. That’s something really unique (from what I know) to SOURCE: speakers, crew and some participants are sharing a bunch of apartments instead of hotel rooms. That’s a unique way to meet old and new friends and to continue discussions about security topics once the talks are over (and sometimes, to have some party time – honestly )
After a long (or short – depending on the way you address the problem) night, the first day of talks started. Same place as last year: the MNAC. But something new this year: instead of split between technical and business, tracks were organized in parallel based on the language. In room #1, talks in Spanish and talks in English in room #2. Good initiative to offer quality talks to Spanish people if some were not very fluent with the Shakespeare language. That’s also the goal of security conference: offer quality content to local people who cannot always travel thousands of kilometers. As a volunteer, I was busy with the video recording of the Spanish talks. A good opportunity to increase my Spanish knowledge which was close to /dev/null. Presentations highly technical with the support of slides, it was quite “understandable“! What did I learn?
Xavier Mendes and Christian Martorella presented wfuzz, a fuzzer for web applications. The presentation was mainly a review of the core wfuzz features. I won’t list them here, just have a look on the website. It looks like a good tool for pentesters.
Manu Quitans and Frank Ruiz explained how cyber-criminals work from a technical point of view. They explained the infrastructure deployed by a bad ISP operating from Eastern Europe to deploy malwares, software packs etc. They also reviewed of the business runs on the dark side of the Internet.
Just before the lunch, Jose Selvi presented a very interesting talk about new ways to use covert-channels. In information security, a covert channel is:
“a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.” (Source: Wikipedia)
Today, classic covert-channels are usualy detectable and it became more difficult to use them. A very good example is the DNS tunneling. So, new techniques must be used to be able to safely/quietly extrude data from an attacked network. Jose explained that, again, HTTPS is a good friend. As many modern web 2.0 websites have multiple ways to generate content, why not use them as a covert-channel? For his proof of concept, he developed a nice tool called “facecat” (for “Facebook Netcat“). By using his tool, you could use Facebook as a pipe wall. Awesome demo! Follow Jose on Twitter, this is a cool guy!
After the lunch, talks started again with a presentation about the Android platform: The analyze of Android applications (“How’s your Android Kung-Fu“) by Guerrero Selma (Malware Intelligence). By reversing a malware, Guerrero explained how security features are implemented on the Android platform and how they can be avoided. He also showed a live demo of a TapJacking attack which is normally fixed by Google but which still affect most Android devices.
Jordi Serra-Ruiz talked about stenography. After a definition of “stenography”, Jordi also reviewed its history. Forever people have tried to hide messages. You know, Alice sending a message to Bod and intercepted by Eve. Several techniques were invented and using during centuries: by hiding some letters or words inside a text (and revealed using a “mask”), by using invisible ink, by using microscopic fonts. Today, in the digital era, the same problem remains but other techniques emerged. One of them is the “Least Significant Bits“, “Fast Fourier Transform” or “Discrete Wavelet Transform“. I liked the history, good idea!
Daniel Pelaez presented “Security Godness with Ruby on Rails“. This development framework became quickly popular amongst web developers. But is it secure and how to make it more secure? That was Daniel’s topic. He started with a basic introduction to RoR. Basic defense points remain the same (authentication, authorization, sanitization, etc). By default, RoR may reveal interesting/dangerous stuff: It’s easy to detect Ruby versions based on the default error pages. Then Daniel reviewed a checklist of points to address while auditing a RoR application. From my point of view, it’s just applying the OWASP Top-10. Nothing new here. Tip: there are plenty of Ruby plugins which can help you to increase the security of your web application.
Last talk for day one about the cloud computing! What a surprise! This one was more business oriented. Antonia Ramos Garcia explained what is the “rating” of something. And particularly, how to rate the risks of applications moved to the cloud? Rating can be represented by lot of symbols (“AAA”, “A1″, “A+”, etc) but everybody must agree on those representations.
The day finished with a restaurant and some drinks in the center of Barcelona.
Second short night, second day of talks! Today all the talks were presented in the same room. The first one was performed by Stefan Friedli (@stfn42). “How to NOT to do a pen test” (I liked the mention “good morning edition“). The presentation was close to the one presented at BruCON. As I missed it, it was a good opportunity to finally listen to Stefan. First approach, who need a pen test? To request a pen test, you first have implemented basic security. If your systems are not properly patched, fix your shit first! Then, what’s a good/bad pentester? How to do things correctly. A few months ago, Stefan started with friends the “PTES” project. He was involved in the “reporting” aspects. Some good examples of “bad” visualization were showed. Note that the first version of the PTES is not available for comments. Get it and review it!
Second talk was performed by Josh Pennell: “There’s an App for That“. Another talk that I missed at RSA Europe last month. Could we imagine that a few years ago: “Your smart phone has more power than all of the NASA in 1969!“. After a small history of smart phones and some market facts, Josh reviewed the actors attacking mobile devices: script kiddies, hackers and organized crime, nation states and government sponsored! Without forgetting the insiders! Mobile devices contain huge interesting data about your life! Some of them could be very valuable! Some threats are political: mailboxes monitored, mails forwarded to 3rd party servers, etc… There are also legal threats: Who owns the device? Who’s responsible for its security? How/where are stored the data? The infrastructure could also be attacked (OpenBTS). The operating systems used by mobile phones have also vulnerabilities. ALL devices have vulnerabilities and malwares (mobilespylogs.com). By default phones parse a lot of file formats by default and without user consent! (PDF, MP3, RTF, DOC, XSL etc…). This talk was excellent to discuss further about the “BYOD” (“Bring Your Own Device“) issues faced by companies.
Third talk by Iftach Ian Amit (@iiamit) about data exfiltration. First, how to break in? Using exploits! All organizations have plenty of applications, systems which can be broken. How?
- Make people click! (people are curious)
- Use USB stick (people like gifts)
SET is your best friend (a tool present on the BackTrack Linux distribution). You may also create some kind of association with your target (ex: smoking areas or coffee machine are very nice place to gather interesting information)
The next step is targeting. A goodtTip: from a defensive point of view, use the same tools as attackers to make a map of your organization across social media, search engines etc. This could reveal interesting stuff. Pay attention to : file servers, DB, file types, gateways, printers. In some cases, patience is required: There is a huge difference between APT (5-6 months to be detected) and a mass infection (5-6 days)! Finally, the third step: exfiltration of the data you found. As IDS are based on signatures, our goal will be to work below the radar. Example: by using encryption but it remains suspicious! A signature headers removal or a simple XOR will often do the job. But we are lucky: With web 2.0 tools, “resistance is futile“. It’s very easy to put data online. Open a blog, create articles with your encrypted data, get them via the RSS feed and recompose your data. Data can be printer encrypted. Often they will be compared to garbage and put directly in the recycle bin. Just grab them and use an OCR software to get the data back (another tip: choose a good font). Use Talk pages in Wiki (not displayed by default). And after all, why not send your files thru a regular phone line? We saw a demo of data2sound.py / sound2data.py. This pair of tools create a wav file from an ASCII file. It’s easy ro record the wav file on a voice mailbox!
During the lunch, I met very interesting people e.g. a guy from the Japan CERT (sorry, don’t remind his name) and a US lawyer, David Snead. David is specialized on the ISP business and presented the first talk of the afternoon with Nadeem Bukhari about legal & technical strategies addressing data in the cloud. One of the key question for regulations: When is there a breach? How to define a breach? They don’t have a unique definition! In the US, breach notification is legal! Second step: who will pay? After the theory, Nadeem explained why things go wrong. Big names were used: TJX, Amazon, Google, RSA, NASA, ESA. Regarding patching: virtual systems are 60% less secure than their physical counterparts (source: Gartner) and Deloitte said “Audit trails/logging issues” is in top-5 of internal/external audit findings. Nadeem insisted on the digital evidence of audit trails. Interesting talk…
Last minute planning change. Josh Kebbel was not available. Chris Nickerson replaced him with an awesome presentation. Fully based on funny pictures, Chris compared the attack techniques of several civilizations and countries. He said “The only patch for human stupidity is experience“. When you are attacked, you have always an advantage: you know your environment. Chris has always plenty of real-life examples like the one with is fixed roof but window left open. This is the same in information security (your users will be stupid things). Keep in mind:
- Try doing thing!
- There is no such things like set and forget
- There is no magic bullet
- Complexity reduces security
- Figures out what matters most and protect it first (priorities)
What to attack?
- The product line
- The brand (so easy!)
- The employees
- The bottom line
The last speaker was Josh Kebbel who spoke about a new approach to software development at Adobe. To fight against the growing number of exploits targeting the Adobe products, they decided to set up a group called “ASSET” (“Adobe Secure Software Engineering Team“). Interesting, people participating to the program have a level identified by a “karate” belt (white, green, brown, black). Base on a “Security Certification Program“, they increase security awareness across the people. It looks like a good internal initiative to increase the security of their products.
This is over for 2011! I met new Twitter friends in real life, meat good friends, had good times not it’s time to get some sleep to recover! Thanks to the SOURCE crew for this conference!