HITB Amsterdam Wrap-Up Day #1

The HITB crew is back in the beautiful city of Amsterdam for a new edition of their security conference. Here is my wrap-up for the first day!

The opening keynote was assigned to Marcia Hofmann who worked for the EFF (the Electronic Frontier Foundation). Her keynote title was: “Fighting for Internet Security in the New Crypto Wars”. EFF always fight for more privacy and she reviewed the history of encryption and all the bad stories about it. It started with a fact: “We need strong encryption but we need some backdoors”. Since encryption algorithms were developed, developers received pressure from governments to implement backdoors or use weak(er) keys to allow interception… just in case of! This already happened before and will happen again.

In a prologue, Marcia explained how everything started with the development of RSA and Diffie-Hellman. For some other protocols like DES, it was clear that the development team was very close to the NSA. They deliberately asked to use weakest key to help them to brute-force the keys. In the 80’s and 90’s, cryptography was developed more and more by the private sector and academic researches. Personal computers raised and people started to encrypt their data. Then came the famous PGP, key escrow and clipper chip. Marcia also explained the CALEA (“Communications Assistance Law Enforcement Act”): The technology must be designed in the way the FBI could intercept communications if needed (of course, with a proper warrant). Then came the restriction about encryption stuff export outside the US. It was a good opportunity for Marcia to give some words about the Wassenaar agreement and the recent story about the project to prevent export of intrusion software and surveillance technology. Today, the Snowden era, governments are seen as attackers. NSA was able to tamper all our data but also infiltrated major Internet players. What about the future? What should happened and what should we do? Marcia took a pendular as example. Some forces have impacts on the way a pendula moves. There are different external pressures which affect how security is designed:

• Laws,
• Norms,
• Architecture,
• Market.

After the morning coffee break, I went to the second track to follow Pedram Hayati’s presentation: “Uncovering Secret Connections Using Network Theory and Custom Honeypots”. The first part gave background information about our classic defence model and honeypots. In a traditional security model, the perimeter is very hardened but once the intruder is inside, nothing can stop him. We keep the focus on making the perimeter stronger. It’s coming from the physical security approach (the old castles) and attackers put all the efforts to bypass a single high barrier. Our second problem? We enter a battle without knowing the attackers. Idea of active defines and protection. Active defines is defined as:

A security approach that actively increases the cost of performing an attack in terms of time, effort and required resources to the point where a successful compromise against a target is impossible.

To achieve this, we need:

• Profile the attacker
• Disrupt its tasks
• Prevent

The Foundation is knowing the attacker! So what tools do we have? Our logs of course but honeypots can be very helpful! In the second part, Pedram explained what honeypots are… “a decoy system to lure attacker”. They increase the cost of a successful attack: the attacker will spend time in the honeypot. It is fundamental that it looks legitimate but it has signatures and behaviour, that’s why it must be fully configurable to lure the attacker. Some principle:

• Do not fake network services or re-implement a network protocol.
• Segregation of duties (interaction, monitoring, storage)
• Smart Deployment (use an unused public IP, internal network, previously used IP)

The next section was the experiment. Pedram deployed 13 honeypots in major cloud providers (AWS, Google), distributed across the Internet. They mimic a typical server and have IP addresses not published (no domain mapping). The goal was to identify SSH attacks, discover attacks profile per region and relations between them. How long to detect the first infection? On average, less than 10 mins! An analyse of the collected data was performed and it was possible to classify the attacker in three categories:

• Commanders
• Infectors
• Brute-forcers

Pedram also explained how he generated nice statistics about the attackers, their behaviour and locations. To conclude, he compared the attackers as somebody throwing bricks through windows. How to we react? We can take actions to prevent this guy from sending more bricks or we can buy bullet-proof windows. It’s the same with information security. Try to get rid of the attackers!

My next choice was a talk about mobile phones operators: “Bootkit via SMS: 4G Access Level Security Assessment” presented by Timur Yunusov and Kirill Nesterov. Today, 3G/4G network are not only used by people to surf on Facebook but are also used more and more for M2M (“machine to machine”) communications. They explained that many operators have GGSN (“GPRS Gateway Support Node”) facing the Internet (just use Shodan to find some). A successful attack against such devices can lead to DoS, leak on information, fraud, APN guessing.

BTW, do you know that, when you are out of credit, telco’s block TCP traffic but UDP remains available? It’s time to use your UDP VPN! But attacking the network in this way is not new, the speakers focused on another path: attacking the network via SMS! About the hardware, they investigated some USB modems used by many computers. Such devices are based on Linux/Android/Busybox and have many interesting features. Most of them suffer of basic vulnerabilities like XSS, CSRC, ability to brick the device. They showed a demo video to demonstrate an XSS attack and CSRF to steal the user password. If you can own the device, the next challenge is to own the computer using the USB modem! To achieve this, they successfully turned to modem into an HID device. It is first detected as a classic RNDIS device then it is detected as a keyboard and operates like a Teensy to inject keyboard keypresses. You own the modem, the computer, what about the SIM card? They explained in details how they achieve this step and ended with a demonstration where they remotely cloned a SIM card and captured GSM traffic! The best advice they can give as a concluse: always change your PIN code!

After the lunch, Didier Stevens and myself gave our workshop about the IOS forensics. I did not attend two talks but my next choice was to listen to Bas Venis, a very young security researcher, who talked about browsers: “Exploiting Browsers the Logical Way”. The presentation was based on “logic” bugs. No need to use debuggers and other complicated tools to find such vulnerabilities. Bas explained the Chrome URL spoofing vulnerability and he discovered it (CVE-2013-6636).

Then he switched to the Flash players. The goal was to evade the sandox. After explaining the different types of sandboxes (remote, local_with_file, local_with_network, local_trusted and application), I explained that the logic of URL/URI is not rock solid in sandboxes and lead to CVE-2014-0535. The conclusion was that looking for logic bugs and using them proven to be a sensitive approach when trying to hack browsers. Sweet results can be found and they do not require tools but just dedication and creativity. Just a remark about the quality of the video, almost unreadable on the big plasma screens installed in the room.

Finally, the first day ended with a rock-start: Saumil Shah who presented “Stegosploit: Hacking with Pictures”. This presentation is the next step in Saumil’s research about owning the user with pictures. In 2014 at hack.lu, he already presented “Hacking with pictures”. What’s new? Saumil insisted in the fact that “A good exploit is one delivered with style”. Pwning the browser can be complicated, why not just find a way to simple trick the exploit? The first part was a review of the history of steganography which is a technique used to hide a message into a picture, without altering it. Then came the principle of GIFAR: One file file with a JAR file appended to it. Then webshells raised with the embedding of tags like “<?php>” or “<% … %>”. Finally EXIF data were used (example to deliver a XSS).

Stegosploit is not a new 0-day exploit with a nice name and logo. It’s a technique to deliver browser exploits via pictures. To achieve this we need an attack payload, a “safe” decoder which can transform pixels into dangerous data. How?

• From the network, the images must only see images (ex: IDS)
• The exploit is hidden in pixels, no change in the picture itself
• The image auto-run upon load (the decoder must be bundled with the image)
• The exploit must be automatically decoded and triggered

Be conservative in what you send and liberal in what you receive. (Jon Postel)

This closed the first day! Note that slides are uploaded after each talk and available here.