As a pentester, I’m always trying to find new
gadgetstools to improve my toolbox. A few weeks ago, I received my copy of Dr Philip Polstra’s book: “Hacking and Penetration Testing with Low Power Devices” (ISBN: 978-0-12-800751-8). I had a very interesting chat with Phil during the last BruCON edition and I was impressed by his “lunch box“. That’s why I decided to buy his book.
As a pentester, I’m always trying to find new
Is “swf” the new “wtf“? What’s happening with the Flash player? The Adobe’s multimedia platform has been targeted by multiple 0-days since the beginning of 2015! Just have a look on cvedetails.com. Two days ago, security researchers at TrendMicro found another one. It is identified as CVE-2015-0313.
Bored by the multiple patches released by Adobe and the impact on the deployment, many security people are brainstorming about a potential removal of the popular browser plugin from their computers (and their users’ computers). Is it a good idea? If more and more websites are offering alternative interfaces via HTML5 (like Youtube), there are again lot of websites which won’t work without Flash support. In my case, a good example is Deezer which uses .swf files for its players!
To protect ourselves, why not build a whitelist of trusted Flash files? Here is a quick setup via Squid, the open source proxy. Squid has very powerful features and amongst some of them, it offers a powerful ACL (“Access Control List“) system. Basic ACL’s can be used to filter domain names, IP addresses or ports but they are very interesting ACL types like:
- url_regex – which matches on full URLs
- urlpath_regex – which matches on URLs paths (without the protocol – http[s]:// – and hostname/IP)
Regular expressions can be used or flat files (1 element / line). Let’s define two new ACLs:
acl FlashBlacklist urlpath_regex -i \.swf acl FlashWhitelist urlpath_regex "/etc/squid3/allowed-swf.txt"
The first one will match the string (non case sensitive) “.swf” in the URL path and the second one will match any regex from the file “/etc/squid3/allowed-swf.txt“. The file looks like this:
/embedded/small-widget-v2.swf /swf/coreplayer3-v00341125.swf /swf/singlePlayer-v10.swf
This example matches the Flash files used by the Deezer player. The next step is to apply the ACL:
http_access allow FlashWhitelist http_access deny FlashBlacklist
Take care to insert them at the right place within your existing ACLs! Here is the result in the Squid log file:
# grep swf /var/log/squid3/access.log 1423084706.664 0 192.168.254.200 TCP_DENIED/403 3889 GET http://taggalaxy.de/taggalaxy_beta.swf - NONE/- text/html 1423084748.191 0 192.168.254.200 TCP_DENIED/403 3969 GET http://s0.2mdn.net/3070333/beco111_Day_Trip_Promo_Fr_300x250.swf - NONE/- text/html 1423084775.988 8 192.168.254.200 TCP_HIT/200 58684 GET http://cdn-files.deezer.com/swf/coreplayer3-v00341125.swf - NONE/- application/x-shockwave-flash
Note that Squid can also block traffic based on the MIME type of objects but the detected type is not always correct (see the 2nd line). Now, it’s up to you to catch the denied access with your preferred log management tool.
Working with whitelist is not the most efficient way to allow access to trusted files but it is the most secure. By default, any .swf file will be blocked. Last remark, this is just a quick countermeasure: it must not prevent you to patch your systems!
[This blogpost has also been published as a guest diary on isc.sans.org]
Our houses and offices are more and more infested by electronic devices embedding a real computer with an operating system and storage. They are connected to network resources for remote management, statistics or data polling. This is called the “Internet of Things” or “IoT“. My home network is hardened and any new (unknown) device connected to it receives an IP address from a specific range which has no connectivity with other hosts or the Internet but its packets are logged. The goal is to detect suspicious activity like data leaks or unexpected firmware updates. The last toy I bought yesterday is a Smart Plug from Supra-Electronics. This device allows you to control a power plug via your mobile device and calculate the energy consumption with nice stats. I had a very good opportunity to buy one for a very low price (25€). Let’s see what’s inside…
A quick blog post which popped up in my mind after a friend posted a question on Twitter this afternoon: “How to search for Office documents containing macros on a NAS?“. This is a good idea to search for such documents as VBA macros are known to be a good infection vector and come back regularly in the news like the Rocket Kitten campaign.
Waiting for the new year party, this is a last quick post in 2014! It’s not the first time that I see a peak of rogue authentication requests against some of the WordPress websites. But for a while, there is a constant flood of IP addresses trying to bruteforce the WordPress login page. This kind of attack is very common and bots are constantly looking for weak passwords. Looking at the Apache (or any other webserver) log files is not relevant because they don’t log the payload of POST requests. I captured all the POST requests in a pcap file for a few weeks and today I decided to generate some stats!
For me, Twitter is not only a social network, it’s also a tool that I use daily to track and exchange news about information security with a large worldwide community of infosec profesionals. For a while, Twitter is my main source of information. When you are relying on a service like Twitter to collect information, you must have the right tools to handle the huge (and constantly increasing) amount of data. I’m using classic Twitter clients on my computers and mobile devices but it is not powerful enough. Standard options such notifications help to be alerted when a specific Tweet is posted but often we can’t be disturbed all the time (ex: while working at a customer premises or in a meeting). When you’re back to check your timeline, most Twitter clients can’t easily handle thousands of Tweets to be reviewed. In short, I need something else! When you have a lot of data to index, Elasticsearch comes immediately in mind (and the associated tools to build the ELK suite).
There is a black market for vulnerabilities, nothing new with this fact! A brand new 0-day can be sold for huge amounts of money. The goal of this blog post is not to cover this market of vulnerabilities but the way some of them are disclosed today. It’s just a reflexion I had when reading some news about the Rompager:
I’m just back from Nancy and it’s time to publish the wrap-up for the last day! The last night was very short for most of the attendees: 30 minutes before the first talk, the coffee room was almost empty! This third started with “A new look at Fast Flux proxy networks” by Dhia Mahjoub from OpenDNS. Hendrik Adrian was also involved in this research but he can’t be present for personal reasons. OpenDNS provides DNS services and, as we all know, DNS is critical in botnets infrastructure. They have access to a very big source of information! It was already said multiple times, the crimeware scene is an eco-system. Modern malware communicate with their C&C through proxies. That was the topic of Dhia’s presentation: Fast-Flux proxy networks.