Here is a quick review of a book about the well-known network sniffer: Wireshark. This book is part of new collection called “Instant” edited by Packt Publishing. This is an interesting idea for people who don’t have time/don’t want to read a classic 200-pages book or that need to go straight forward to the minimum to start using a tool. This book has 68 pages and is of course cheaper!
Review: Wireshark Starter
BlackHat Europe 2013 Wrap-Up Day #2
And we are back with the second wrap-up of BlackHat Europe 2013! After a dinner with friends and some beers at Rapid7 and IOActive parties, I went back to the hotel to finish the first day wrap-up. I woke up, tool shower, grab some coffee and I’m ready for the second day! No workshop planned for today only talks. Here is a review of the one I attended.
BlackHat Europe 2013 Wrap-Up Day #1
Hello Everyone, it’s BlackHat time again! Here is my wrap-up for the first day. Yesterday evening, after a safe drive to Amsterdam with @corelanc0d3r, we went out for dinner and had good times with other friends and guys from the Rapid7 team who maintain the Cuckoo project. The conference is organized at the same location as the last edition, the Grand Hotel Krasnapolsky, a very nice place in the centre of the city. After a standard dose (but necessary) of caffeine, Jeff Moss performed a brief introduction of the conference. For this edition, 500 people registered to attend the conference. Jeff insisted on the feedback that attendees can provide to build better events in the future and choose the right directions to meet most of our expectation. New events will be organised like local (geographically) events and events dedicated to trainings only. What are the current trends? Mobile and embedded devices remain on top of the talks. Another classic, some minutes were also allowed to the main sponsor for some “marketing” messages.
WordPress GET Requests Flood?
Let me share this story with you. I faced a strange incident last Saturday. My web server was flooded with thousands of GET HTTP requests generated by WordPress blogs. Those connections apparently seemed legit. The “attack“, let’s call it like this in a first time even if I don’t think it was one, occurred Saturday PM between 17:00 & 18:00 PM (GMT+1). A first bunch of requests hit the servers starting from 15:54 and the real food occurred one hour later as you can see on the timeline below.
Attack Time Window
The biggest peak of requests was around 325 connections/second. Enough to put my server in trouble but not enough to conduct an real attack. That’s why I’m thinking about a misconfiguration. Another clue that helped me to categorize the incident: it was very (too?) easy to block. The traffic was easy to catch via a simple pattern. How did I detect the problem? I was notified by my tools in place:
- High CPU usage and low free memory on the web server (health monitoring)
- Unusual HTTP traffic (log management)
- Amount of traffic originating from same IPs
- Number of requests/sec (behavior)
The received requests were very simple and hit only one of the websites hosted on the box (www.leakedin.com):
41.203.18.72:36261 - - [09/Mar/2013:15:54:20 +0100] "GET / HTTP/1.0" 200 33393 "-" "WordPress/3.5; http://www.finserv.co.za"
Nothing suspicious in the payloads, even mod_security did not fired any alert during the flood! I also had time to capture some traffic into pcap files, nothing wrong except the amount of requests. Once the problem identified, my first priority was to come back to a stable environment (containment). My first idea was to block all “bad” requests based on the User-Agent. The UA were those used by WordPress: “WordPress/<version>; <blog_url>“. This simple Apache configuration did the job:
SetEnvIfNoCase User-Agent WordPress block
<Directory "/xxxx/xxxx/xxxx">
Order allow,deny
Allow from all
Deny from env=block
</Directory>
It worked during a few minutes but this quick fix only prohibited the remote hosts to grab data from the server. All requests were still processed and returned a 403 instead of 200 error. The second idea was to limit the number of concurrent sessions allowed for www.leakedin.com. This was implemented via mod_bandwidth:
<Directory "/xxxx/xxxx/xxxx">
BandWidthModule on
MaxConnection all 10
</Directory>
This time, it was successful and the situation came back to a stable (managable) server. Time for investigations! I extracted useful data from my log files and did some researches. First, some stats:
- 761395 GET requests
- Coming from 624 unique IP addresses
- Coming from 562 different blog addresses (grabbed from UA strings)
- Coming from 28 different WordPress versions (non obfuscated)
The amount of hits per IP addresses was stable as seen in the char below. The first IP addresses hosted more than one blog (shared platform).
Hits per IP Addresses
Where are those websites came from?
(Click to enlarge)
The logged IP addresses were indeed the one of the blogs mentionned in the UA strings (not fake). What about the different blogs? They were not compromized (I just tested some using urlquery.net) and are alive. The content does not help me to understand the issue: different languages, multiple topics, most of them are not related to IT or close to leakedin.com. I searched for “leakedin.com” on them, no hit returned!
Having multiple versions of WordPress (from very old to the latest one) tend to prove that it’s not an exploit. Some blogs that I visited were not updated since 2011! What was the origin of this problem? I don’t have a clue. If you have more information or ideas to share, feel free to post comments!
A final remark: The number of outdated WordPress versions is impressive! The oldest one detected was 2.8.3!
BlackHat Europe 2013 Wishlist
Here we go with a new season of security conferences! BlackHat Europe is the first big event for me this year. The conference is back in Amsterdam this week for two days full of interesting briefing sessions and workshops. Again this time, the BlackHat organization provided me a press pass (thank again to them!) to attend and cover the event. This edition is back to a classic format: two days of trainings and two other days of briefings (last year, there was three days). I will cover the briefings in live (via Twitter) and write wrap-up’s after each day. Here is my (current) selection of sessions I would like to follow:
- Powershell for penetration testers (workshop)
- Building a defensive framework for medical device security
- Off-grid communications with Android – Meshing the mobile world
- Floating car data from smartphones: what Google and Waze know about you and how hackers can control traffic
- Honeypot that can byte: reverse penetration
- Next generation mobile rootkits
- Using D-Space to open doors
- Dude, where’s my laptop?
- Dropsmack: How cloud synchronization services render your corporate firewall worthless
In parallel to regular tracks, the BlackHat arsenal is organized again by NETpeas where security tools will be demonstrated. I’ll briefly present a status of my project called CuckooMX. I just noticed that my friend and Belgian blogger colleague Peter (corelanc0d3r) has also posted his pre-conference blog post. His planning is completely different then mine. This is a good think, we will be able to provide a broader overview of the conference!
I’ll drive to Amsterdam on Wednesday evening. Feel free to contact me for a chat over a beer. See you there!
OWASP Belgium Chapter Wrap-Up March 2013
Here is a quick wrap-up of the first OWASP Belgium Chapter meeting of 2013 organised today in Leuven. SecAppDev is running this week so it was a good opportunity to bring some trainers for an evening meet up: Yves Younan and Steven Murdoch. Lieven, from the OWASP team, made a small review of the current Belgium chapter & projects. The room was full of (new) people. There was so many attendees that the organisers had to do a last minute switch to a bigger room! That’s very good, seeing old friends is always nice but new faces are always welcome. OWASP has so many important messages to broadcast to people. If you never attended such event, please do the next time… and its free!
The first speaker, Yves, is Security Researcher at SourceFire and talked about “25 years of vulnerabilities“. To perform this research, Yves had a look at main vulnerabilities databases like CVE & NVD. The goal was to build an overview of the vulnerabilities reported during the past years and, based on that, if we could expect some trends for the coming years. Since vulnerabilities are indexed (in 1988), 54.000 vulnerabilities have been reported. Some statistics were give by Yves based on two level of criticity: the serious vulnerabilities (CVSS >= 7) and the critical ones (CVSS = 10). This scoring is based on multiple factors like remotely exploitable, affecting the data integrity, availability, etc. Note that if not enough data is provided, the vulnerability will be by default classified as critical. This is a safe behaviour, if you don’t know your enemy, expect the worst. Since 1988, there was clearly a trend as seen in the picture below but less vulnerabilities were tagged as “serious” (33% in 2012). 9.16% have been tagged as “critical” in 2012. Vulnerabilities are classified by types:
- Authentication
- Credential management
- Access control
- Buffer errors (overflow)
- CRSF
- XSS
- …
Most important (in terms of occurrence) were buffer overflow, XSS and Access control. Top-3 serious vulnerabilities: Buffer overflow, SQL injection & code injection. For critical vulnerabilities: Buffer overflow, “not-enough-info” and access control. And what about our best friends, the security vendors? Top-10 vendors account for 14K vulnerabilities but we must keep in mind that some vendors have a lot of products in their catalog. The top-3 in numbers was Microsoft, Apple & Oracle. Serious top-3 was: Microsoft, Apple, Cisco and critical was: HP, IBM & Mozilla. BTW, it’s pretty sure that Oracle will grab some positions in 2013.
About the products:
- In numbers: Firefox, MacOS X, Chrome
- Serious: Microsoft XP, Firefox, Chrome
- Critical: Firefox, Thunderbird, Seamonkey.
Note that some products share a lot of code, think about FIrefox & Thunderbird (both are developed by Mozilla). What about Linux? Redhat is the winner followed by Suse & Gentoo. And for Microsoft, winners are Windows XP, Server 2003 and Server 2000. Of course, for a few years, mobiles phones also suffer of vulnerabilities. In this scope, Apple is the winner with its iPhone which counts 81% of the mobile vulnerabilities. This looks strange because there are much more malwares for Android. Then Yves explained the methodology used to try to count 0-day vulnerabilities for Microsoft products. How? If a CVE is published before a Microsoft Security Bulletin, this can be considered as a 0-day. Results? In most cases, Microsoft communicates before a CVE being assigned. Only 13% could be considered as 0-days vulnerabilities.
And what is the situation today? (statistics on a period from 1st January to 14th February) The type “not-enough-info” comes in first place. Buffer overflows remain in 2nd position. And who’s the top vendor? Guess who? Oracle of course with the multiple Java vulnerabilities reported in the last weeks. Finally, Yves tried to give some prediction about the future. For him, buffer overflows will remain a very important type of vulnerability. Access control and privileges issues will grow. At vendors level, Oracle will remain in 1st position and Google will probably enter the top-10.
Some conclusions to this research? Fewer vulnerabilities were reported in 2012 but the percentage of critical ones increased by the next two years, so the trend will continue! If you would like to read more about this topic, the full report is available here. The talk was not technical and was only based on vulnerability databases. I would expect more facts. Usually, I don’t have a lot of time to read such reports with plenty of statistics and this presentation was a great opportunity to review the report content. Maybe a last tip: Check out regularly sites like CVE, NVD or OSVDB to get updated with new vulnerabilities.
After a small break, Steven, Senior Researcher at University of Cambridge, talked about a hot topic: the security in banking applications. In UK, “Chip & Pin” is available for five years now (based on the EMV standard). It’s convenient: the user put his card in a reader and give his pin. UK was a very early adaptor (2006) of this system. The goal of EMV was to reduce drastically the fraud. Did it succeed? This is not sure. Steven reviewed some statistics about fraud and some types even grew like counterfeit fraud. Techniques exploit backwards compatibility issues. Indeed, the old magstrip can still be used as a “failover” because upgrade to Chip & Pin was very complex and expensive to be performed in one step!
Counterfeit fraud increased again after the deployment of EMV. It was easier to collect PIN at POS instead of ATM. Attackers try to find the weakest link. Online banking started in 2009 and is growing. The responabilitiy of some fraud shifted from the merchant to the customer. Another fact: PoS (“Point of Sale“) terminals are difficult to harden compared to regular ATM. Steven gave deep information about the vulnerability discovered by his University.
Then he talked about the “no-PIN attack“: It allows criminals to use a stolen card without knowing the PIN. To achieve this, you need a device between the genuine card and the reader. This is some kind of MiTM attack. A demo was even performed for the UK television:
This was three years ago! And today, what’s the situation? Well, according to Steven, nothing changed a lot. Cards issued by some banks work and others not. Why was this attack possible? Because EMV is complex, it uses a bad design of flags exchanged between the card/reader and implementation has problems. For the banks, it’s just a matter of risks: based on the number of transactions, banks could take the risk to face some fraudulent events. Finally, the latest type of fraud which is still growing in UK was reviewed: Phishing & key loggers. Steven presented the different types of devices/controls used to authorise the transactions like more or less complex CPATCHA’s, TAN or DigiPass but most of them have also issues.
Steven’s conclusion: EMV systems are open to a variety of attacks. Their complexity is problematic. There is a lack of resistance measures implemented and customers are still left liable. Today for online banking, transaction authentication is essential which requires a trustworthy display. The research is available here. Compared to the first one, this presentation was very technical. Maybe a little too much for me who has no experience in this field.
Apkscan: Live Android Malware Analysis
Mobile devices are more and more seen as nice targets from attackers’ point of view. Which is easily understandable: the market is exploding and people still don’t realize that a mobile device is not only a mobile “phone” but a mobile “computer” with an operating system, I/Os and… applications! The mobile OS landscape is spread over two systems: iOS (Apple) and Android. Apple is renowned to lock its market share and keep a good control on it, even if they’ve a glitch from time to time. To install an application on your iPhone/iPad, go to the AppStore. Of course, if you jailbreak your device, they are alternative stores but let’s assume that you’re a good boy/girl!
Android is more open and, next to the official store (Google Play), many alternative sources of applications are available to us. Some of them suffer of a total lack of control and we are not always sure that the downloaded application is safe. The first reflex when you install an Android application is to check its permissions. Why a game should have access to your full addressbook and be allowed to send SMS or perform calls? This looks suspicious!
(Click to enlarge)
But what about the example of a small game requiring Internet access? This could seems legit to allow communications to the outside world: To upload scores, to download new maps or levels. But “Internet access” is very (too?) broad. Are you sure that some data could not be leaked? The only way to test the Internet traffic generated is to install the application on a test device and sniff your Wireless traffic… Easy if you are a techie! Otherwise, install the app and cross your fingers?
I won’t discuss here the process of malware analysis… Just a reminder: you have two major ways to do this: the static or behavioral analysis. With the first one, you analyze the provided binary and try to guess how it works (ex: by doing reverse-engineering). In the second one, you execute the code and collect as much information as possible like files accessed/created, DNS requests, network traffic, etc. This is performed in a safe environment (a sandbox).
For a while, there exists solutions to perform like a life analyze of regular (read: “for Wintel architecture“) pieces of malware. Some are commercial, others are open source (like Cuckoo). But what about Android applications? nViso, a young company founded by a group of Belgian Infosec professionals/enthusiasts, is working on a project called “Apkscan“. APK is the file format used to distributed Android applications. Yesterday, during a SANS@Night session in Brussels, Daan Raman demonstrated his tool:
As you can see it uses the same phylosophy as regular malware analysis tools: You submit a suspicious file, it executes it and generates a nice report. Both static and behavioral analyzis are performed. The report contains a static analyze, the permissions extracted from the Android manifest XML file, a Virustotal output, URLs found and behavioral analyze. The tool is still being developed but works quite well. I had the opportunity to submit some samples. Check out the two generated reports (a good and a bad one). The tool should be made publicly available soon. Great job!
Scanning Malicious URLs in One Mouse Click
Since it’s already Friday, just before leaving for the weekend, here is a quick hack for all MacOS X infosec guys… and the others! I’m not afraid to admit it: I’m lazy! We are using computers all day long and they have been created (usually 
to automate tasks. Let them do our boring job…
One of the recurring tasks I perform multiple times a day is scanning URLs for malicious code. We all read daily plenty of information which contains URLs (mail, PDFs, Office documents). Call me paranoid but I prefer to scan them before suffering an unexpected behavior just with a mouse click! I’m a fan of the online service called urlQuery for this task:
“urlQuery.net is a service for detecting and analyzing web-based malware. It provides detailed information about the activities a browser does while visiting a site and presents the information for further analysis.”
Submit your URL and a report will be generated with the complete analyze of the code and objects downloaded. Why not automate the submission of URLs to urlQuery?
OS X comes with nice tools to automate a lot of stuff. I recommand to have a look at Automator and AppleScript. They can be used to create personalized services which are available in any application via a righ-click and chosing “Services“.
Let’s create a new service called “Analyze with urlQuery“. Launch Automator:
- Select Library > Utilities > Run AppleScript
- Define the parameters:
Service receives selected: “URLs” in “any application”
Input is “only URLs” - Create the AppleScript below
- Save
The AppleScript is really simple: It opens a new tab in the first Google Chrome window, connect to urlquery.net, fill the form with the (malicious) URL and submit it!
on run {input, parameter}
set url0 to "http://urlquery.net"
set input0 to (input as string)
tell application "Google Chrome"
reopen
activate
tell window 1
make new tab with properties {URL:url0}
end tell
delay 2
end tell
tell application "Google Chrome" to activate
tell application "System Events"
keystroke input0
keystroke return
end tell
return input
end run
Once created, a new service will be available in your applications like Mail:
(Click to enlarge)
Simple and convenient! A big thank to @_coreDump for his precious help to fix my AppleScript code!
Bring Your Own Rogue [Router|DHCP|Access Point]
In the series of gadgets that we must bring with us, let me present the “NI-707537” of ICUDU. I’m always traveling with a big backpack containing plenty of useful stuff. Working often at customer premises, I don’t have a fixed place in my company offices. I’m always carrying all my gadgets with me: Two laptops, iPAD, cables, external storage, connectors, sniffer, etc. The last to be added to my survival kit is this small router which has lot of interesting features.
Maybe the most important: it is very small! (Check the picture) Easy to carry but also easy to hide under some papers or cables. It comes with two NIC called “LAN” , “WAN”, a Wireless interface and supports up to 150Mbps of traffic. USB powered, it can be connected everywhere. The list of features is quite complete:
- 802.11 B/G/N
- WEP, WPA/WPA2, TKIP/AES
- IEEE802.1x
- 2 dBI antenna
- Web GUI
- Statis or Dynamic IP, PPPoE
- NAT / DHCP server
- VPN pass through
- Firewall
- QoS
What else? Mine is configured to get its WAN configuration via DHCP and to propose a protected WiFi SSID. Easy to deploy your own access point to connect your iPAD or any mobile device. To have a “portable” DHCP server could help in some situations.
Of course, the device can be used for malicious activities. Just connect it on a LAN and connect to it remotely. You’ll have plenty of time to play. This is a good opportunity to remind you that the “BYOD” buzzword or “Bring Your Own Device” focus mainly on people using their personal end-user device. Don’t forget that people may connect rogue active devices on your networks!
