Twitter Used As Security Awareness Media: “FiveWordSecurityHorrors”

Security AwarenessYesterday a new trend started on Twitter with the hashtagFiveWordTechHorrors”. I don’t know exactly who started it and why but it became quickly relayed and populated by many people working in IT. Everybody started to report some horror stories of ideas in all IT domains (security, development, hardware, software, etc). It was really viral and, honestly, I had a good laugh while reading some of the posted facts. But, it quickly became impossible to follow due to the amount of incoming tweets.

(Source: geekwire.com)

(Source: geekwire.com)

And this morning, a new hashtag appeared derived from the original one: “FiveWordSecurityHorrors”. Based on the same principle but with more focus to information security: To describe a security fact within only five words. The traffic was much lower but very funny (of course) and interesting. Here are some of my best quotes:

  • 0-day? We have firewalls!
  • We trust our outsourcing partner.
  • Our product stops all APTs
  • Default rule is any<>any
  • Forgotten password sent by e-mail
  • I can always update later…
  • We’re safe. We have firewalls.
  • We’re safe, we’re PCI compliant !
  • The $VENDOR said it’s possible!
  • Security? Our supplier does that.
  • Why would anyone attack us?
  • Sql injections ? We got ssl !
  • Firewall protects our web applications?
  • Yay angelina nude dot exe
  • Join my network on LinkedIn…
  • We don’t need salted hashes
  • Marketing had a great idea
  • Developped own proprietary encryption algorithm
  • It costs to much money.
  • I rely on signature anti-virus
  • We trust our employees, right?
  • Security is the users’ responsibility
  • Our website is hacker proof
  • This buffer is big enough.
  • Please click on the link!

In my opinion, this trending hashtag was a very good security awareness reminder for most of us. Only five words but so real! Just try to keep some of them in your mind. And this awareness campaign was provided for free by Twitter!

Why the Belgian Cyber Security Guide Must Be Extended? Example with MySQL!

BCSGA few days ago, I attended an event organized by the Chamber of Commerce in Belgium (ICC Belgium) and the Federation of Enterprises (FEB) to announce with great ceremony the release of the first Belgian Cyber Security Guide. Honestly, this is a great initiative! In the audience, many many infosec professionals were present but not many “business owners“. That’s not a surprise… Ok, I’ll mitigate, it’s also part of our daily job to promote security to C-levels. Even if the message is still not yet received by the target audience, that’s the goal of a “security awareness” process which can be resumed as:

while(true) { repaeat_message(); }.

An endless loop…

Read More →

BotConf 2013 Wrap-Up Day #2

Maillé-BrézéI’m back in Belgium after driving a few hours back to Belgium and it’s time to give you my wrap-up of the second day. After a short night, we were back at the Chamber of Commerce in Nantes. The venue was located closed to the “Maillé-Brézé“, an old French military boat converted into a museum. For some of the attendees, the night was very short, the social event was a big success! The first talks were followed with a lack of caffeine, let’s go for a resume…

Read More →

BotConf 2013 Wrap-Up Day #1

BotConf BannerI’m in Nantes (France) for two days to attend a new conference: Botconf. As the name says, this event is dedicated to botnets and malwares. The goal is to present talks about those malicious network of computers, how to detect them, how to fight them and, finally, eradicate them. I received a press pass (thank to the organizers), so here is the wrap-up of the first day!

First of all, a few words about the organization. Being also involved in the same kind of event, I really know the huge amount of work that must be accomplished to bring a security conference alive! Kudos to the team, nice venue, everything was running fine. They successfully brought 150 people from all over the world to a French city (some people came from Japan and South-Africa!). Event a live streaming was available for those who cannot travel to Nantes. The event stated with a word from the Chairman, Eric Fressinet. Classic introduction with big thanks to the sponsors, the speakers. Eric is working for the French Gendarmerie and is of course interested into botnets. The program of this first day was very intense with thirdteen slots!

Read More →

OWASP Benelux Day 2013 Wrap-Up

Photo 1

I’m just back from Amsterdam where was organized the 5th edition of the OWASP Benelux Day. This was already my third visit to this event and I finished my Benelux Tour: Luxembourg in 2011, Belgium in 2012 and the Netherlands this year. The location was very nice, the Amsterdam RAI is a ver nice location for events but also expensive: The event was reduced to a single day (no training) and there was no WiFi for the attendees. But who cares? After all, we attend conferences to listen to speakers and not to surf the web…

As usual, Seba opened the event with the classic OWASP updates. He gave some feedback about AppSec USA (which occurred last week). If you’re interested, a Youtube channel is available with all the talks (43!) . A new guide is available: “Application Security Guide for CISO’s”. It explains the reasons for investigating into application security, how to manage application security and metrics. The AppSec Newsfeed is back and the podcast (managed by Jim Manico) is still alive. As you can see, they are plenty of interesting sources of information.

Read More →

Controlling the “In”? Don’t forget the “Out”!

Yellow SignDo you remember the good old times? When I put my hands on my first firewall (somewhere around 1997-1998 – wow, time flies!), it was to kick out all the bad guys playing on the Internet. And, at this epoch, not all firewalls had a default last-resort rule like “Any > Any: Drop”! Later, the infosec landscape highlighted the wonderful “security perimeter”: Your network was like a castle with big walls! No one could enter! What a wonderful world!

Some times later, companies realised that their users were first of all people with human behaviours, trying to surf the web during business hours. Some of them switched to a new profile: malicious insiders! It was time to also inspect and block the outgoing traffic.

Today, generally speaking, solutions are in place to inspect what is called the “egress” traffic (the opposite of “ingress”). Wikipedia defines “egress filtering” as follow:

In computer networking, egress filtering is the practive of monitoring and potentially restricting the flow of information outbound from one network to another. Typically, it is information from a private TCP/IP network to the Internet that is controlled. TCP/IP packets that are being sent out of the internal network are examined via a router or firewall. Packets that do not meet security policies are not allowed to leave – they are denied “egress”. Egress filtering helps ensure that unauthorised or malicious traffic never leaves the internal network.

Implementing egress filtering is not always bullet-proof but it is a good start. Today, traffic like HTTP(s), DNS, SMTP cannot reach the Internet directly. So, what about your home network? If most DSL residential routers include firewall features, they remain basic and egress filters are often disabled by default. Here is an example of egress filter on a Belgacom BBox router:

Egress Filter

What types of devices can we find in a home network today?

  • Computers
  • Game consoles
  • Printers
  • Phones
  • WiFi devices (tablets, smartphones)
  • Webcams
  • Storage devices (NAS)
  • Media players
  • Heating systems, fridges
  • Smart meters
  • Smart TV’s
  • Miscelaneous sensors
And the list is growing every day! M2M (or “Machine to machine”) traffic keeps increasing. Recently, bad stories were released by two security bloggers about the LG Smart TV’s which phone home and send information collected about user’s behaviour (links here and here). For sure, expect more of such stories in the future! I think that, like companies years ago, we will have to implement egress filtering on our home networks! To prevent two threats:
  • Malware infections (callback to C&C)
  • Your privacy! (like the LG story)
The first one can be addressed by classic ways like security awareness for your family and a <cough>good<cough> antivirus. The second one is more nasty and we must struggle against companies stealing our data. At home, my online devices have no direct access to the Internet, HTTP traffic is inspected by a proxy and I’m running an internal DNS resolver with a blacklist of prohibited domains. Both, combined with an IDS, send their findings to a Splunk instance. The proverb says: “Cobblers children are worst shod” but we can’t follow this in infosec, please! Of course, this is not a solution that can be easily implemented in every houses, protecting your privacy has a cost! To reduce the risks, you can split your network in two subnets:
  • Assign a fixed IP address to trusted devices
  • Reserve a small DHCP IP pool for unknown (friends, visitors, …) or new devices and prevent this pool to access directly the Internet
While connecting a new device (like a Smart TV), consider it as “untrusted” and have a look at the generated traffic for a while (when you turn it on or off, when you use it). Keep this in mind: more and more domestic devices will be connected over TCP/IP in the future collecting more and more data about us. Have a look at this video published by Splunk:

Tracking your Github Security Events

GitHub Looking GlassA few days ago, I wrote a blog post about a Python script that I use with the new Amazon CloudTrail feature to grab logs from my Amazon cloud services. Because we use more and more cloud services in our digital life, the same principle should apply to all our online services. Recently, GitHub suffered of a brute force attack against accounts with weak passwords. This story was covered by a nice blog post. They took actions like blacklisting well-known weak passwords (By the way, they also offer 2-factors authentication). Why attacking GitHub accounts? Because user’s repositories contain very interesting information. Source code could be modified to add malicious code like a backdoor to existing code or some private data could be stolen (certificates, credentials, SSH keys, etc).

Read More →

Keep an Eye on Your Amazon Cloud with OSSEC

Cloud LogsThe Amazon conferencere:Invent” is taking place in Las Vegas at the moment. For a while, I’m using the Amazon cloud services (EC2) mainly to run lab and research systems. Amongst the multiple announcements they already made during the conference, one of them caught my attention: “CloudTrail“. Everything has already been said over the pro & con of cloud computing. But one of them is particularly frustrating if, like me, you like to know what’s happening and to keep an eye on your infrastructure (mainly from a security point of view): who’s doing what, when and from where with your cloud resources? CloudTrail can help you to increase your visibility and is described by Amazon as follow:

CloudTrail provides increased visibility into AWS user activity that occurs within an AWS account and allows you to track changes that were made to AWS resources. CloudTrail makes it easier for customers to demonstrate compliance with internal policies or regulatory standards.

As explained in the Amazon blog post, once enabled, CloudTrail will generate files with events in a specific S3 bucket (that you configure during the setup). Those files will be available like any other data. What about grabbing files at regular interval and create a local logfile that could be processed by a third party tool like… OSSEC?

Generated events are stored as JSON data in gzipped files. I wrote a small Python script which downloads these files and generates a flat file:

$ ./getawslog.py -h
Usage: getawslog.py [options]

Options:
  --version             show program's version number and exit  
  -h, --help            show this help message and exit
  -b LOGBUCKET, --bucket=LOGBUCKET
                        Specify the S3 bucket containing AWS logs
  -d, --debug           Increase verbosity
  -l LOGFILE, --log=LOGFILE
                        Local log file
  -j, --json            Reformat JSON message (default: raw)
  -D, --delete          Delete processed files from the AWS S3 bucket

$ ./getawslog.py -b xxxxxx -l foo.log -d -j -D
+++ Debug mode on
+++ Connecting to Amazon S3
+++ Found new log: xxxxxxxxxxxx_CloudTrail_us-east-1_20131114T1325Z_xxx.json.gz
+++ Found new log: xxxxxxxxxxxx_CloudTrail_us-east-1_20131114T1330Z_xxx.json.gz
+++ Found new log: xxxxxxxxxxxx_CloudTrail_us-east-1_20131114T1335Z_xxx.json.gz
+++ Found new log: xxxxxxxxxxxx_CloudTrail_us-east-1_20131115T0745Z_xxx.json.gz
+++ Found new log: xxxxxxxxxxxx_CloudTrail_us-east-1_20131115T0745Z_xxx.json.gz
+++ Found new log: xxxxxxxxxxxx_CloudTrail_us-east-1_20131115T0750Z_xxx.json.gz

By default, the script will just append the JSON data into the specified file. If you use the “-j” switch, it will parse the received event and store them in a much more convenient way to be further processed by OSSEC (using “items:values” pairs). Here is an example of parsed event:

"eventVersion":"1.0","eventTime":"2013-11-15T07:55:53Z", "requestParameters":"{u'instancesSet': {u'items': [{u'instanceId': u'i-415f473b'}]}}","responseElements":"{u'instancesSet': {u'items': [{u'instanceId': u'i-415f473b', u'currentState': {u'code': 32, u'name': u'shutting-down'}, u'previousState': {u'code': 16, u'name': u'running'}}]}}","awsRegion":"us-east-1","eventName":"TerminateInstances","userIdentity":"{u'principalId': u'xxxxxxxxxxxx', u'accessKeyId': u'xxxxxxxxxxxxxxxxxxxx', u'sessionContext': {u'attributes': {u'creationDate': u'2013-11-15T07:48:03Z', u'mfaAuthenticated': u'false'}}, u'type': u'Root', u'arn': u'arn:aws:iam::xxxxxxxxxxxx:root', u'accountId': u'xxxxxxxxxxxx'}","eventSource":"ec2.amazonaws.com","userAgent":"EC2ConsoleBackend","sourceIPAddress":"xxx.xxx.xxx.xxx"

Within OSSEC, create a new decoder which will extract the information you may find relevant for you. Here is mine:

<decoder name="cloudtrail">
 <prematch>^"eventVersion":"\d.\d"</prematch>
 <regex>"awsRegion":"(\S+)"\.+"eventName":"(\S+)"\.+"sourceIPAddress":"(\d+.\d+.\d+.\d+)"$</regex>
 <order>data,action,srcip</order>
</decoder>

And the event below decoded by OSSEC:

**Phase 1: Completed pre-decoding.
 full event: '"eventVersion":"1.0","eventTime":"2013-11-15T07:55:53Z","requestParameters":"{u'instancesSet': {u'items': [{u'instanceId': u'i-415f473b'}]}}","responseElements":"{u'instancesSet': {u'items': [{u'instanceId': u'i-415f473b', u'currentState': {u'code': 32, u'name': u'shutting-down'}, u'previousState': {u'code': 16, u'name': u'running'}}]}}","awsRegion":"us-east-1","eventName":"TerminateInstances","userIdentity":"{u'principalId': u'xxxxxxxxxxxx', u'accessKeyId': u'xxxxxxxxxxxxxxxxxxxx', u'sessionContext': {u'attributes': {u'creationDate': u'2013-11-15T07:48:03Z', u'mfaAuthenticated': u'false'}}, u'type': u'Root', u'arn': u'arn:aws:iam::xxxxxxxxxxxx:root', u'accountId': u'xxxxxxxxxxxx'}","eventSource":"ec2.amazonaws.com","userAgent":"EC2ConsoleBackend","sourceIPAddress":"xxx.xxx.xxx.xxx"'
 hostname: 'boogey'
 program_name: '(null)'
 log: '"eventVersion":"1.0","eventTime":"2013-11-15T07:55:53Z","requestParameters":"{u'instancesSet': {u'items': [{u'instanceId': u'i-415f473b'}]}}","responseElements":"{u'instancesSet': {u'items': [{u'instanceId': u'i-415f473b', u'currentState': {u'code': 32, u'name': u'shutting-down'}, u'previousState': {u'code': 16, u'name': u'running'}}]}}","awsRegion":"us-east-1","eventName":"TerminateInstances","userIdentity":"{u'principalId': u'xxxxxxxxxxxx', u'accessKeyId': u'xxxxxxxxxxxxxxxxxxxx', u'sessionContext': {u'attributes': {u'creationDate': u'2013-11-15T07:48:03Z', u'mfaAuthenticated': u'false'}}, u'type': u'Root', u'arn': u'arn:aws:iam::xxxxxxxxxxxx:root', u'accountId': u'xxxxxxxxxxxx'}","eventSource":"ec2.amazonaws.com","userAgent":"EC2ConsoleBackend","sourceIPAddress":"xxx.xxx.xxx.xxx"'
**Phase 2: Completed decoding.
 decoder: 'cloudtrail'
 extra_data: 'us-east-1'
 action: 'TerminateInstances'
 srcip: 'xxx.xxx.xxx.xxx'

So easy! Schedule the script via a cron job to grab automatically new events and happy logging! The CloiudTrail service is still in beta and is not (yet) available everywhere (ex: not in the EU region) but seems to be working quite well. My script is available here.

 

Integrating OpenERP Within a Cisco IP Phone

OpenERP LogoFor once, this article is not directly related to “infosec“. My blog  isn’t called “/dev/random” for nothing, right? In parallel to my dayly job as an Information Security Consultant and my blogger experience at night, I’m also doing business via my own company, TrueSec (<advertising>Feel free to contact me if you’re looking for consultancy services</advertising>). For a while, I’m using OpenERP to keep track of my customers, projects, invoices and other administrative tasks. This software is a fully open source ERP (“Enterprise Resource Planning“) with many extensions. To benefit of a dedicated line and improve communications with my customers, I’m using a SIP service with a public phone number for a few days. And since today, the SIP line is connected to a good old Cisco IP phone (7940g). Honestly, it was’nt easy to configure the phone: reflash with a SIP-enabled firmware, fight with the text configuration files sent over TFTP, but… it worked! Even the ring tone and logo were customized:

(Click to enlarge)

(Click to enlarge)

The next step was to integrate the phone with an external address book. It seemed logical to integrate it with a database containing primarily all my business contacts: The OpenERP database! Let’s see how to interconnect both! The Cisco phone stores its address book in a XML file but with a limited size (I think that the limit is 32 entries for my 7940g). But it’s possible to configure the phone to make requests via a web page! Magic! How?

In the SIPDefault.cnf, add the following line (don’t forget to reboot the phone!):

#The directory_url contains a URL to the directory XML file
directory_url: "http://webserver/directory.xml"

Create the file on your “webserver“:

# cat /var/www/directory.xml
<CiscoIPPhoneInput>
    <Title>OpenERP Address Book</Title>
    <Prompt>Type your query...</Prompt>
    <URL>http://webserver/directory.php</URL>
    <InputItem>
            <DisplayName>search</DisplayName>
            <QueryStringParam>search</QueryStringParam>
            <InputFlags></InputFlags>
            <DefaultValue></DefaultValue>
    </InputItem>
</CiscoIPPhoneInput>

What does it mean? When you will press the “Directories” button on the phone and then select “External Directory“, the phone will propose you to enter a query string which will be passed to the defined URL as follow:

GET http://webserver/directory.php?search=xxxxxxxx

The result of this HTTP request must be a valid XML file with the following format:

<CiscoIPPhoneDirectory>
<Title>Open ERP Address Book</Title>
<Prompt>Select your contact</Prompt>
<DirectoryEntry>
     <Name>Xavier</Name>
     <Telephone>555-123-456</Telephone>
</DirectoryEntry>
</CiscoIPPhoneDirectory>

The last step is to lookup the OpenERP database for contacts and generate the XML output. How? No need to reinvent the wheel, OpenERP offers an XMLRPC API which can be used within all languages! My script is written in PHP and uses a PHP class developed to interact easily with OpenERP. Download the PHP class, download my script on a local webserver and change the OpenERP settings:

// Define your OpenERP environment
$openerp_url = "http://openerp.server:80/xmlrpc/";
$openerp_db = "xxxxxx";
$openerp_user = "xxxxxx";
$openerp_pass = "xxxxxx";
$max_entries = 32;

And an example of the data returned by the script:

Cisco-phone2

Enjoy this little hack! The next step will be to lookup incoming numbers to display the customer name!

Hack.lu 2013 Wrap-Up Day #3

GTA Hack.luThis is already the last day! We started again at 08:30 with a talk about IP cameras: “Do you know who’s watching you? An in-depth examination of IP cameras attack surface” by Francisco Falcon & Nahuel Riva. This isn’t the first time that IP cameras are used as targets for a talk. What was the motivation for this presentation? Found vulnerabilities in small cameras used everywhere (like at home for surveillance)! The goal was to: understand, find bugs, use the cam as an attacking device, modify the stream. First some general information about those gadgets: most of them have the same features: motion detection, night vision, two way audio, alarm connector, alerting. They run a webserer, a RTSP and UPnP servers. As most embedded devices, IP cams have a serial console. To access it, use a Bus Pirate with the UART chip and you are good to go. Then, Francisco & Nahuel reviewed some cameras available on the home market. The first target was a low-cost IP cam made in China (MayGION). Discovered vulnerabilities were:

  • FTP with hardcoded credentials
  • Buffer overflow
  • Path traversal

Read More →