The last weekend, an ethical hacking event was organised in Belgium. The Hacknowledge Contest joined Charleroi and was hosted at the CPEHN. This event was previously organised only in France thanks to the initiative of the ACISSI. Last year, they decided to open their challenges to other countries. The current list of participating countries is: Côte d’Ivoire, Maroc, Benelux, Espagne and France. The organisers are already looking to extend their list with other countries. If you are interested, maybe contact them.
Initally, I registered a small team with a colleague and finally we were five ethical hackers/friends to participate as “UID(0)“. So, we joined Charleroi Saturday afternoon to attend a bunch of small talks around information security. Small event and a relaxed atmosphere. The covered topics were:
Zataz.com, the well-known French website and the process in place to notify organizations of data breaches and/or security issues.
The security of our payment cards starting from old models based on a magstripe up to the state-of-the-art (but not from a security point of view) NFC chipsets.
A nice presentation about social-engineering with lot of funny examples (my preferred presentation by Seb Baudru, see the picture below)
IPv6 & security
An overview of the security landscape in Belgium (latest major security incidents and who contact in case of issues – CERT.be, FCCU, etc)
After a break and the registration of all teams, the challenges started for a period of 12 hours (Saturday 10PM to Sunday 10AM). No CTF, no blue team nor read team but a list of challenges to solve similar to the SANS Netwars. Each challenge solved gives you points. Seventy challenges were categories were split in the categories like:
Hardware (lockpicking, Teensy, barcodes, …)
It was very friendly with good times, music. We finished at the third position but very close to the second team… Only the first two teams won, too bad! The final contest will be organised in France and the winning team will receive a very nice price: a trip all-inclusive to Las Vegas to attend the DefCON security conference!
I don’t often participate to events like this one. I liked the limited number of teams (5) and the friendly atmosphere between the team. Not too small, not too big, well organized. The event was also covered by some Belgian media.
Here is a quick wrap-up of the first OWASP Belgium Chapter meeting of 2013 organised today in Leuven. SecAppDev is running this week so it was a good opportunity to bring some trainers for an evening meet up: Yves Younan and Steven Murdoch. Lieven, from the OWASP team, made a small review of the current Belgium chapter & projects. The room was full of (new) people. There was so many attendees that the organisers had to do a last minute switch to a bigger room! That’s very good, seeing old friends is always nice but new faces are always welcome. OWASP has so many important messages to broadcast to people. If you never attended such event, please do the next time… and its free!
The first speaker, Yves, is Security Researcher at SourceFire and talked about “25 years of vulnerabilities“. To perform this research, Yves had a look at main vulnerabilities databases like CVE & NVD. The goal was to build an overview of the vulnerabilities reported during the past years and, based on that, if we could expect some trends for the coming years. Since vulnerabilities are indexed (in 1988), 54.000 vulnerabilities have been reported. Some statistics were give by Yves based on two level of criticity: the serious vulnerabilities (CVSS >= 7) and the critical ones (CVSS = 10). This scoring is based on multiple factors like remotely exploitable, affecting the data integrity, availability, etc. Note that if not enough data is provided, the vulnerability will be by default classified as critical. This is a safe behaviour, if you don’t know your enemy, expect the worst. Since 1988, there was clearly a trend as seen in the picture below but less vulnerabilities were tagged as “serious” (33% in 2012). 9.16% have been tagged as “critical” in 2012. Vulnerabilities are classified by types:
Buffer errors (overflow)
Most important (in terms of occurrence) were buffer overflow, XSS and Access control. Top-3 serious vulnerabilities: Buffer overflow, SQL injection & code injection. For critical vulnerabilities: Buffer overflow, “not-enough-info” and access control. And what about our best friends, the security vendors? Top-10 vendors account for 14K vulnerabilities but we must keep in mind that some vendors have a lot of products in their catalog. The top-3 in numbers was Microsoft, Apple & Oracle. Serious top-3 was: Microsoft, Apple, Cisco and critical was: HP, IBM & Mozilla. BTW, it’s pretty sure that Oracle will grab some positions in 2013.
About the products:
In numbers: Firefox, MacOS X, Chrome
Serious: Microsoft XP, Firefox, Chrome
Critical: Firefox, Thunderbird, Seamonkey.
Note that some products share a lot of code, think about FIrefox & Thunderbird (both are developed by Mozilla). What about Linux? Redhat is the winner followed by Suse & Gentoo. And for Microsoft, winners are Windows XP, Server 2003 and Server 2000. Of course, for a few years, mobiles phones also suffer of vulnerabilities. In this scope, Apple is the winner with its iPhone which counts 81% of the mobile vulnerabilities. This looks strange because there are much more malwares for Android. Then Yves explained the methodology used to try to count 0-day vulnerabilities for Microsoft products. How? If a CVE is published before a Microsoft Security Bulletin, this can be considered as a 0-day. Results? In most cases, Microsoft communicates before a CVE being assigned. Only 13% could be considered as 0-days vulnerabilities.
And what is the situation today? (statistics on a period from 1st January to 14th February) The type “not-enough-info” comes in first place. Buffer overflows remain in 2nd position. And who’s the top vendor? Guess who? Oracle of course with the multiple Java vulnerabilities reported in the last weeks. Finally, Yves tried to give some prediction about the future. For him, buffer overflows will remain a very important type of vulnerability. Access control and privileges issues will grow. At vendors level, Oracle will remain in 1st position and Google will probably enter the top-10.
Some conclusions to this research? Fewer vulnerabilities were reported in 2012 but the percentage of critical ones increased by the next two years, so the trend will continue! If you would like to read more about this topic, the full report is available here. The talk was not technical and was only based on vulnerability databases. I would expect more facts. Usually, I don’t have a lot of time to read such reports with plenty of statistics and this presentation was a great opportunity to review the report content. Maybe a last tip: Check out regularly sites like CVE, NVD or OSVDB to get updated with new vulnerabilities.
After a small break, Steven, Senior Researcher at University of Cambridge, talked about a hot topic: the security in banking applications. In UK, “Chip & Pin” is available for five years now (based on the EMV standard). It’s convenient: the user put his card in a reader and give his pin. UK was a very early adaptor (2006) of this system. The goal of EMV was to reduce drastically the fraud. Did it succeed? This is not sure. Steven reviewed some statistics about fraud and some types even grew like counterfeit fraud. Techniques exploit backwards compatibility issues. Indeed, the old magstrip can still be used as a “failover” because upgrade to Chip & Pin was very complex and expensive to be performed in one step!
Counterfeit fraud increased again after the deployment of EMV. It was easier to collect PIN at POS instead of ATM. Attackers try to find the weakest link. Online banking started in 2009 and is growing. The responabilitiy of some fraud shifted from the merchant to the customer. Another fact: PoS (“Point of Sale“) terminals are difficult to harden compared to regular ATM. Steven gave deep information about the vulnerability discovered by his University.
Then he talked about the “no-PIN attack“: It allows criminals to use a stolen card without knowing the PIN. To achieve this, you need a device between the genuine card and the reader. This is some kind of MiTM attack. A demo was even performed for the UK television:
This was three years ago! And today, what’s the situation? Well, according to Steven, nothing changed a lot. Cards issued by some banks work and others not. Why was this attack possible? Because EMV is complex, it uses a bad design of flags exchanged between the card/reader and implementation has problems. For the banks, it’s just a matter of risks: based on the number of transactions, banks could take the risk to face some fraudulent events. Finally, the latest type of fraud which is still growing in UK was reviewed: Phishing & key loggers. Steven presented the different types of devices/controls used to authorise the transactions like more or less complex CPATCHA’s, TAN or DigiPass but most of them have also issues.
Steven’s conclusion: EMV systems are open to a variety of attacks. Their complexity is problematic. There is a lack of resistance measures implemented and customers are still left liable. Today for online banking, transaction authentication is essential which requires a trustworthy display. The research is available here. Compared to the first one, this presentation was very technical. Maybe a little too much for me who has no experience in this field.
Belgium is strange country… at various levels! For years, Belgium is known as a country which quickly developed and distributed electronic identity cards (eID) to its citizens. Your eID can be used in multiple applications to perform citizen’s authentication and to sign documents. The number of applications and web sites keeps growing constantly. Private organizations can also integrate the eID in their applications! Looks great…
Today, I had to use my eID on my Macbook for the first stime. Step one, download the software and install it. Piece of cake, I visited this page, downloaded the .dmg and installed it. I’m running the latest version of OS X, Mountain Lion. This one introduced a significant new feature called Gatekeeper, a new security system to help keep users from installing malicious applications on their machines.
Guess what? When I started the eID software, I got this nice warning:
I found this unfortunate from Fedict, Federal Public Service for Information and Communication Technology, which is in charge of the eID infrastructure. I had to use my eID so I temporary decreased the security level of Gatekeeper to perform a smooth installation then I re-enabled the default settings. I don’t say the software is unsafe but that’s a Belgian joke… Using a non-signed software (at Apple level) to sign my documents!
The title of this quick post says all… evenmore in the security field! This story has been reported by a friend of mine. His wife would like to dispute a transaction made with her credit card. Never a funny story but it may always happen! (my own card was also compromized two years ago even if I use it always very carefully). She called the help desk of the card provider and was redirected to a nice website called “www.macarte.be“. Here again, that’s a classic process, companies tend to simplify procedures and to ask the customer to help himself.
Basically, the website contains a lot of useful information about payment cards. You could see it as a big “FAQ“. The website also give some tips to use your cards in a safe way. That’s important, security is crucial in the payment card industry! Of course, they give warnings about transactions on the Internet:
(Click to enlarge)
For my readers who do not understand French, they give here the classic advice:
“A safe website can be identified by the small closed lock displayed by Microsoft Internet Explorer or a key displayed by Netscape Communicator in the lower-left corner. The URL has also an extra letter ‘s’ and looks like ‘https://www…”
(Note to the webmaster: Netscape Communicator is considered as dead for years…)
As you, infosec professionals, I know that this small lock or key does not mean nothing but for Mr John Doe (or my parents), it’s an easy way to identify a “safe” website. For me, the problem is the following: On the same website, people are able to fill a form to complain about a suspicious transaction. They are asked to give for a huge amount of information:
(Click to enlarge)
And guess what? The website is running in full HTTP! Innocently, I tried manually to connect via SSL by adding the magic small “S” (just in case they forgot to implement a redirect), no luck! Is it not worth the price of a SSL certificate? GoDaddy.com, 3.89€/y!
Yesterday I attended the first edition of a new event: The Belgian Internet Security Conference. It was organised by some key players from Belgian Federal organisations like the CERT.be, Belnet, FedICT. The goal of this one-day conference was to provide some security awareness to managers or deciders. This time, no hacking or technical presentations but clear facts about today’s security issues. By seeing the list of attendees, their goal was reached! The list of participants had 180 names and I think that most of the registered people attended. Visitors came from many different areas of business: universities, financial, transport, media, manufacturers despite the winter weather. It’s a good sign!
The day started with an interesting movie:
After the movie, invited speakers came to present their vision or ideas about the information security. The first speaker was Pascal Petry (security expert from the Prime Minister cabinet). He talked about the official vision of the Belgian government about information security. As computers are used everywhere today, governments must address cyber-defense at the highest level. It is always interesting to listen to some official feedback from authorities even if what they said must sometimes not be taken “as is“. Nothing brand new here. If they would like to fight cyber-crime, authorities must put resources on the table and this costs a lot of money. Not easy to do during those crisis times.
The second speaker was Aart Jochem (from Govcert.nl) who reviewed the case of Diginotar. Here again, nothing new! Everything has been said about this bad story. The interesting aspect of Aart’s talk was how the case was handled by authorities: from incident response to crisis coordination. Keep in mind: it’s better to communicate with a “we failed” message than no communication at all!
After a coffee break, Christian Van Heurck, the CERT.be coordinator, presented “Cyber security: who cares?“. Based on some simple questions answered with an internal voting system, the audience revealed interesting stuff about the communication of cyber incidents. Most organisations fail to report issues to CERTs. Christian explained the CERT.be structure and how they work. It’s very important to know how CERTs work and to trust them. The message here was: “Sharing is the key“.
Then followed a debate with actors on the Belgian IT landscape about the cyber security strategies and how they can impact on our daily life. Trying to increase the security level of citizens/users is good but this can have major impacts on the tools or the way we use them. A good (but always recurring) example are passwords. Again and again people fail to use good passwords. Is it too late? Can people be sued if using bad passwords? Those questions were debated by the participants. Interesting…
After the lunch, I attended a very interesting workshop proposed by the CERT.be: How to build your own CERT? Indeed, if you are working for a big organisation, it could be interesting to deploy your own CERT. By knowing your customers/your business, it could be very efficient to focus on security issues that really affect your business. Erik Vanderhasselt explained briefly (because it’s a huge topic) what are the basic requirements in terms of:
During the workshop, I missed an interesting presentation by SWITCH: cleaning.ch. They explained how they detect malicious websites hosted on .ch domains. Once a malicious site has been found, the owner is contacted and has 24 hours (!) to reply otherwise, the website is blocked at DNS level during a few days. Hard but impressive!
After a last coffee break, I followed two other presentations: Stefan Lueders (CERN) explained why our security controls fail and Jacques Schuurman from XS4All presented the position of the Internet Service Provider about cyber security strategies. Very interesting how they have to deal with authorities.
What about this first edition? The number of visitors proved that security remains very important for most organisations. Most visitors were (as usual?) infosec professionals (high number of CISO’s per m2 . The question is: how to apply what they learned into their daily job! Good news: the presentations are already available online!
We are living in a digital era and I like this! From a security point of view because it generates a lot of issues that we have to deal with (being infosec pro, it’s our daily job). But also because I like “gadgets”. We are big kids
On the other side, other people prefer to use the old classic methods to manage their life: “A pen and a sheet of paper don’t need to be charged and will never crash!”. This is the classic argument when you try to convice them to switch to a digital solution. But are those people safe from disasters? Do they also need disaster recovery plan? I read an interesting story today on a Belgian news website:
A Belgian politician lost his leather diary (or was it stolen?). It contained thousands of contacts and appointments. Everything was written by hand since he was 18 years old! “Ask me where I was in Feb 1968, I will tell you!“, he said.
Except now that the diary is lost, he could say! I won’t start a flame war between pro and anti digital devices, I respect the choice of everybody. But one thing is sure: whatever the solution or method you choose, they are subject to risks that must be taken into account! Some affect only the digital solutions (example: a disk crash) but most are valid in both cases: natural disasters (water flood, fire), lost of stolen data. The “support” is not important, if it contains (business) critical data, a proper backup solution must be implemented!
After months of preparation with a growing pressure, the 0×04 edition of BruCON is already behind us! I was still on board to take care of all the bits & bytes aspects. This year was a specific one. The venue changed (we moved from Brussels to the beautiful city of Ghent). For me, this move had another major impact: the venue was provided without any network connectivity. The challenge was to build a network from scratch! As you can imagine, deploying a network services to 500 hackers during two days is not easy. Yes, dear attendees, you aren’t common users
To increase the presssure, another last minute change occurred: We were allowed to access the venue on Wednesday starting from 07:00AM (only two hours before the opening of the conference). But the challenge was completed and visitors were able to take their breakfast while surfing the web! I’d like to congratulate the volunteers of the network crew who did a great job!
The BruCON Network Crew
The Core Network
If building a network from zero is a real challenge, it has also advantages. The most important is a full-control of the infrastructure: bandwidth, switches, servers, access devices, services and… logs! Yeah, logs, one of my favorite topic. As you can imagine, everything was logged during the event. First of all to keep traces (evidences): According to the Belgian law, when you provide an Internet access, you are considered as an Internet provider and have to take care of your network. Secondly, to analyze the logs and generate nice stats. So, let’s check what our visitors did during the two days?
First, the bandwidth. If the new venue was a great location, it was also lacking of Internet point of presences! After long investigations, the only solution was to use a WiMAX link! This kind of solution being expensive, we had a limited bandwidth compared to the previous editions but, hopefully, it did not affect the visitors who surfed smoothly.
WAN Traffic for 2 days
Total Firewall Througput
What about our visitors? It looks that many of you are scary to use offered WiFi networks and prefer to use data connection via your mobile devices. I was surprise to see a very low amount of concurrent devices connected to the network (peak: 189 DHCP leases). During the conferences, we offered 10111 leases to 416 unique MAC addresses. What about the type of devices?
Detected MAC Addresses
Hon Hai Precision
Cadmus Computer Systems
We operated our own DNS relay to log all the queries. 356885 queries were performed (only “A” records). A total of 43480 unique URLs were resolved by the DNS. Here is the top-20 of resolved hosts:
I was surprised to see logs.loggly.com in this list! This FQDN is used by the Loggly (a cloud logging service) API to submit logs! Somebody was submitting events during the conference!?
The web traffic was also analyzed. Here is the top-10 of websites visited from the BruCON network.
What about companies present at BruCON? Using a simple grep, it’s easy to retrieve a list of organizations. Often, the internal domain ends with “.local” or “.corp“. As some visitors are still using corporate devices during the conference (ouuuh, bad!). We extracted some names and were happy to have visitors coming from (a very short list):
Amazing, just for the swift.corp domain, I collected 29 unique internal server names! Like the previous edition, there was also an IDS (standard config & rules). It remained calm and nothing special was detected (this does not mean nothing happened!
All communications were blocked between clients to avoid internal floods, scans and other funny stuff. Finally, a few words about our wall of sheep which was successfully tested (and approved? by some our visitors:
Wall of Sheep 2012
I can’t resist to give you some numbers (again):
4506 events logged
4 protocols detected (SNMP, HTTP, POP, FTP)
76 unique logins detected (real: ~50 due people playing with the wall)
Unfortunately, we could not provide IPv6 connectivity this year, it’s on our todo list for the next edition. Other data were collected but they will be covered in another blog post… Stay tuned!
The holidays are gone, kids are back to school. For the security landscape, it means that security meetings are also back! The first OWASP Belgium Chapter was organised tonight. Here is my quick wrap-up.
This time the meeting started in the afternoon with a technical workshop organised by SPION. Due to agenda conflicts, I did not attend this one. I joined the meeting for the second part organised in a classic format: after a brief introduction with news about the Chapter and the OWASP foundation in general, two speakers came to present their researches.
Executing the remote scripts in a sandbox (not always easy).
Download the script locally.
If the second one looks interesting, it could make difficult to implement. It’s do-able only if the files do not change often. A very nice presentation with clear explanations.
After a short break and pizzas, the second speaker for tonight was Dave van Stein. He talked about “modern information gathering” or how to grab interesting data from your targets event without sending any packet to them. The talk was a brief presentation of techniques and tools used by pentesters or auditors to collect information. Here is a short list of tools covered by Dave:
A few weeks ago, a subsidiary of a major Belgian bank was hit by a blackmail attack. Attackers requested a big amount of money or they threatened to reveal sensitive stolen data. I don’t know how ended this story, did the bank pay? Did the attackers really steal a big amount of data or they were just bluffing? Targets of such attacks always try to limit the impact by avoiding communications. This is in fact a bad behavior and, hopefully, things will change when the breach notification laws will be in place in European countries.
Same story today! >We learned via the Belgian press (article in Dutch) that another attack was conducted against an interim company. More information has been posted by another Belgian blogger. By reading his post, it looks that security was very poor (as usual I would like to say!). They leaked 10K records with name of job seekers, address, email, national number and social security card number. As a proof, they released some records here.
You can be tempted to have a reaction like “That’s weird but it’s just another leaked database!” But, the stolen data contained also comments made by the company employees about the job applicants. Examples? (based on the sample data release) “Nothing to catch. Always looks drunk. Unstable person.” or “Something wrong with it. Huge sweating and coughing. Drugs?“. If the complete database will be released in the Internet, this could have huge impacts for multiple parties:
Are employees authorized to write down comments like this?
The same comments written by the employees could lead to discrimination. (Example: comments based on bodies or physical aspect of the people)
Customer of the interim agency could be impacted too. Bad publicity! (Example: If they don’t want workers from a specific religion or skin color!)
The psychological impact on some job seekers. How some could react if they read the comments left about them? Some might be psychologically weak and have difficulties to sustain their position as unemployed.
As you can see, problems are not only on the technical side. In my opinion this is the perfect example to remember that all your data are valuable. Often, most critical data are found in military, financial or medial environments but, if you collect data about people (customers, partners, …), you must implement security measures to protect them in the right way!
Working in information security is an ongoing battle! That’s why we have to learn new things every day! But the opposite is also true. As commented by somebody on Twitter recently: “Sometimes, it’s also good to forget things“. We also have to learn by our mistakes and the information security landscape is full of bad stories to learn from! To resume: We have to train ourselves all the time…
Self-learning is (almost) free. It just cost you spare time and requires access to a lab or documentation but could quickly become limited. How to submit questions? How to exchange useful tips & tricks? Real trainings add a social layer which helps you to learn better and quicker. How to select the training which suits your requirements?
Aside your preferences, they are different types of training that can be attended. I see there three big areas for trainings:
Learning “by doing“
Vendors trainings are only useful when you need to be ready as fast as possible to go “to the front” (read: to go to customers) to massively deploy the vendors solutions. You’ll learn the basics but don’t expect going very deep. To go deeper, attend buy a new training! Finally, to successfully complete the training, you’ll have to pass the certification exam based on wonderful questions like:
To achieve the configuration of "A" when "B" is deployed in "C"
mode, you use the command:
a) cmd -C
b) cmd -c
c) cmd -s
I hate this kind of questions! You need to know how things work but how to apply them? RTFM! Usually, vendors trainings are mandatory for your company to remain a “certified partner” ($$$!) and not difficult to attend.
Certification trainings are broader and don’t focus on products. Most os them are theoretical: procedures, frameworks and best practices have no secret for you. Here again, after the training (often called a “boot camp“), you have to pass the certification exam and finally reach the holy grail also called “CISSP“, “CISA“, “CISM“, “ITIL“, “CEH” etc… If they are very useful to build the basics of information security, once you got them, they will help you to be put on the top of a stack of resumes and to pretend to be an “infosec guy” (I insist on the verb “pretend“!)
Finally, the third type is learning “by doing” or “looking under the hood“. In my humble opinion, that’s the best way to learn. By practicing and going straight to the point! This last type of trainings is usually organized during security conferences. Hélas, they are not given for free: good trainers are not easy to find and traveling abroad might increase the total costs by two (flight, hotel, …). So, why not benefit of a good opportunity to attend top-notch trainings organized in the center of Europe in a place not far from everywhere: Belgium! The BruCON security conference announced the schedule of trainings for its 4th edition:
This is an excellent opportunity to attend trainings provided by people recognized as excellent trainers in the information security field! Registrations are open for a few days and early bird prices are available until 31st of May 2012. Spread the word!