And we are back for a second day full of fun and pwnage! It was a rainy day on Amsterdam today but water will not prevent hackers to meet again! I joined the hotel for the breakfast in time.
HITB Amsterdam 2013 Wishlist
The next edition of Hack In The Box gets closer! It will be held next week in Amsterdam. Thank to the organizers, I get a press pass and I’ll again be back for two days at the Okura hotel to cover the conference. I’ll tweet live (follow the official #HITB2013AMS hashtag) and write wrap-ups. The conference is organized in the classic format: two days of trainings and two days of high-level talks. They will be split in a three-tracks schedule. Here is my wishlist:
- Embracing the Uncertainty of Advanced Hacks with Big Data Analytics (keynote)
- Papparazi Over IP
- Orchestrating a Fire Sale: Bringing Dutch Alarm Systems to Their Knees
- Nifty Tricks and Sage Advice for Shellcode on Embedded Systems
- Virtually Secure: Analysis to Remote Root 0day in an Industry Leading SSL-VPN Appliance
- LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements
- Abusing Twitter’s API and OAuth Implementation
- How I Met Your Modem
- Who Can Hack a Plug? The Infosec Risks of Charging Electric Cars
- You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Banking Apps
- To Watch or Be Watched: Turning Your Surveillance Camera Against You
- Dreamboot: A UEFI Bootkit
- The History of the Future of InfoSec (closing keynote)
I had to make difficult choices due to the overlapping of very interesting tracks. At the end of the first day, I hope to be able to attend Itzik Kotler’s workshop about his new tool released just a few days ago (hackersh). The content looks amazing with very good speakers. Stay tuned for more details soon. Ping me if you want to meet!
HITB Amsterdam Wrap-Up Day #2
I’m just back at $HOME. Let’s go for the second day wrap-up! This morning, I walked to the hotel in the sun to take a breakfast. Very nice weather over Amsterdam again today! Bruce Schneier was the second keynote speaker.
HITB Amsterdam Wrap-Up Day #1
I’m back in Amsterdam for the third time to attend the Hack in the Box security conference! Thanks to the organizers, I received again a press pass to cover the event. Thanks to them! So, here is my wrap-up of the first day. This year, I was also present as a speaker for SIGINT. SIGINT is a bunch of “small talks between the talks” where people are free to present their research, their tool in a limited time window. After a safe travel from Belgium and the classic registration procedure, it was time for a small breakfast before the start of the busy day.
HITB2011Ams Wrap-up Day #2
After a cool dinner with other Belgian infosec people, the second day started with a discussion panel about the “Economics of vulnerabilities“. The panelists were: Lucas Adamski (Mozilla), Steve Adegbite (Adobe), Aaron Portnoy (Tipping Point),Adrian Stone (Blackberry / RIM), Chris Evans (Google),Katie Moussouris (Microsoft), Dhillon Kannabhiran (HITB – moderator). Almost all vendors are concerned by vulnerabilities in their softwares. Some decided to develop research programs to involve users in bug hunting (Mozilla & Google are well-known examples). Google estimates the cost of its “bug bounty program” only 10% of the price required by consultants to do the same job! The main topic was the “black market“. Yes, it exists and vendors cannot compete against the prices proposed there. If you want to make some business, this is the place to be! But, people buying on the black market are also expecting results: working exploits and not only a “vulnerability”. They are ready to pay but for a good ROI. Another topic was how vendors accept vulnerabilities in their products. Some of them are still old-school and sue security researchers (check out the recent magic_de story) or ignore them. Some vendors establish good communication with the community of security researchers. About the vulnerability research programs, Microsoft told that they don’t have one: most vulnerabilities are sent to them privately. Question: isn’t a risk of “iceberg” effect? Most bugs being silently fixed? Note that even if 0-days are critical, they can be reduced by implementing security at all levels! (network access, permissions, etc). Victims of a 0-day introduced the malicious code via a specific channel or an action. Microsoft also mentioned “developers education“. Another good point! Last question: Will the researchers focus on bugs with bounties? All participants agreed on the fact that money is not the main incentive. Reconnaissance remains important!
The second talk was presented by Ivan Ristic about “SSL“. What’s the status of SSL implementations today? Is SSL properly configured? First, according to Ivan, SSL must be seen as an “add-on” designed for HTTP, as well as other protocols. SSL is not only a piece of code. It’s a full ecosystem: This is a good example of why security is difficult. The main issue remains weak configuration! SSL suffers of three principal attacks:
- Passive MitM (Example: firesheep)
- Active MitM (Example: sslstrip)
- 3rd party compromise (outsourcing)
Then, Ivan introduction of the research he performed via SSL Labs. They wrote a SSL rating guide and provide interesting online tools like the SSL assessment review. What’s the status of SSL implementations on the Internet? SSL Labs performed a big study: in 2010, they scanned web sites to grab SSL configuration. What do they discover?
- 119M domains checked, 900K servers to assess
- 600K were valid
- Ivan Ristic’s Presentation
In 2011, the performed the same exercise but using the EFF’s SSL observatory DB and scanned 1.2M of sites. They build a specific crawler (robot) to visit top list of sites. What’s the current usage?
- Must combination is SHA1/RSA. most servers support strong ciphers.
- 20% redirect HTTP to HTTPS and from the other, some even do not redirect the login pages to HTTPS!
- HSTS is almost unused (HTTP Strict Transport Security): 80 sites from 250K
- Cookies remain common in authentication
- Cookies secure flag must be more used
- Mixed content can also be a problem
- Distribution of trust (Google Ads, Analytivs, Twitter, Facebook, etc)
What were Ivan’s conclusions? First, the press and community give bad messages regarding SSL. In most cases, the deployment and implementation breaks SSL and finally, it’s possible to achieve reasonable security but most sites choose to not do it! Finally, a mention for the Google project “SPDY” which offers encryption by default.
“Let me Stuxnet you” was presented before the lunch. I was a bit septic by reading the title of Itzik Kotler. Everything has already been said about Stuxnet! But, good surprise, after a very short introduction about this attack, Itzik explained that software controls hardware but that malicious sofware can also control software! And software can damage hardware! This is called a “PDoS” or “Permanent Denial of Service“. A PDoS is an attack which causes a piece of hardware to be replaced or reinstalled (Examples a bricked device). The reasons to perform a PDoS attacks remain the same as attacking a power plant: Rival companies, Foreign countries, terrorism, etc. They are different types of attacks:
- Phlashing: overwriting the firmware and make it useless or “bricked“
- Overclocking (burn it)
- Overvolting (burn it)
- Overusing (reusing a mechanical device and force it to die – like a CDROM tray)
- Power cycling
In a computer, what are the potential targets of such attacks?
- Fans (reduce speed to increase temperature)
- CPU Infinite loop using sample code: “jmp short 0×0″, bricking CPU by flashing a new microcode)
- RAM (overclocking or overvolting)
- GPU
- Hard drives (excess of I/O)
- SSD drives (excess of write operations)
- BIOS
- NIC
Some funny simple example of “killer” commands:
# while true; do dd if=/dev/xxx of=/dev/xxx conv=notrunc; done # hdparm -S 1 /dev/xxx; \ while true; do sleep 60; dd if=/dev/random of=foobar count=1; done # while true; do eject /dev/cdrom; eject -t /dev/cdrom; done
Which countermeasures can be used against those attacks? For firmware upgrade, use digitally signed images and, as usual, apply common basic security! The talk was interesting but presented too slowly! Half an hour should be enough. No need to spend ten minutes on overclocking!
I attended “Attacking critical infrastructure” by Maarten Oosterink. A nice talk just after the lunch. Everything has been said in Stuxnet. Some interesting facts mentioned during the presentation:
- A common issue with systems used in industrial environment: When to patch? (During install, during maintenance cycles: 1-2-4 years,e very Tuesday, never)
- Who maintains? (The IT department, local engineers, vendors)
- Critical infrastructure are based on multiple (un)common protocols and applications. This increases drastically the surface of attack!
Regarding those attack vectors:
- The human factor (night shifts, remote locations), computer look “like home“, noisy rooms, poor IT skilled people, contractors/vendor maintenance.
- Procedural: low patch frequency, manual patching, backups on removable devices,irrelevant policies
- Used technologies: 90′s networking, bad configurations, no monitoring, ha protocols not robust and OSI layers > 5
One of the most expected talk with the one of Adam Laurie & Daniele Bianco. Indeed, the room was full. They presented their research about the security of the “EMV” (“Europay Mastercard Visa“) system used by modern readers/credit cards. The system has already been reported as broken by the Cambridge University. They explained deeply why the system is vulnerable. They showed an EVM skimmer. Compared to magnetic stripe models, they cannot be detected and require little installation effort.
EVM Skimmers
The EVM domain makes usage of a lot of abbreviations like CVM, PIN, SDA, DDA, CVMR, TVR which made some slides not easy to follow but, most imporant, they performed a nice demo and cloned a credit card.
The last talk was about OpenDLP: “Gone in 60 seconds” presented by Andrew Gavin, the creator of OpenDLP. According to the presentation title, I expected a more aggressive approach of OpenDLP. How to use it to really steal information. Andrew presented his tool in the first part. OpenDLP is free and based on two components: a central server (LAMP) . It can address:
- Compliance requirements
- Network & system administration tasks
- Pentests
Why it was developed? DLP solutions are expensive and not based on agents. Most important they are not working in the background! OpenDLP is based on policies that can be expended and reused across multiple agents. Policies have the following features:
- PCRE regex
- White/black lists
- Concurrent agent deployment
- Memory requirements
- How often agents phone home with results
- Obfuscation of data (ex: xxxxxx-3010)
How is the scan performed? Agents are deployed via SMB and started with Samba’s winexe (to run remote commands over SMB). Once running, it’s non intrusive by limiting the used CPU and memory resources. And once scan done, it asks itself to the server to be removed (winexe again). All the results are available from the server using a browser.
The second part was a review of the web interface (server side) with all the available features and a scan demo. Some benchmarks were collected to compare agent-based vs agent-less implementations. The list of coming features looks cool.
In the main room, it was also the end of the robot contest organized by the hackerspaces. I need such toys too! 
Hackerspaces Robots Contest
The closing keynote was presented by Richard Thieme. It’s now almost time to drive back to Belgium. Thanks to the HITB team for the organization (and the press pass). See you next year for another coverage!
HITB2011Ams Wrap-up Day #1
Welcome back in Amsterdam! This is the second edition of the Hack In The Box (HITB) security conference in Europe. Let’s go for a quick wrap-up! I woke up too early (04:00AM) to drive to Amsterdam and arrived without any traffic jams (rare in Amsterdam)! Enough time to perform the registration tasks and grab some 0xC0FFEE! The event started with a keynote presented by Joe Sullivan, the CSO of Facebook. “Facebook” and “Security” are two terms that are often present at the same time in information security news. Joe explained how Facebook implemented new security controls to raise the security of the social network users. Interesting statistic: the average Facebook user created ninety pieces of information each month! The main security innovation is the implementation of the “real name” culture. It is proven that, in public online places like forums, people are less aggressive if real names are used. Facebook also implemented tools to protect users from rogue profiles and to authenticate them in a better way. Some of those features are:
- Social reporting: You can report abuses of private data using by non authorized people.
- Social verification: Facebook might ask you to authenticate people shown on pictures.
- Account management: HTTPS support, login notifications and approvals, recognized devices and recent activity log.
It’s also more easy to report false information using the “Report” links available on almost all pages. The security policy of Facebook is clear: “Sometimes the best defense is good offense“. Facebook don’t hesitate:
- To escalate security issues to law enforcement.
- To coordinate with industry on technical take-downs
- To work with legal on lawsuits
- To perform investigations using a “formal escalation program” with authorities like the FBI, Interpol, DOJ, ICE, Secret Services.
The message passed by Facebook was clear: they take security into account. As said Joe:
“Innovation is essential on the internet. Security teams cannot say no to opportunities, must show how to do it safely and constantly adapt“.
I totally agree but, hélas, Facebook has to deal with the most difficult stuff to protect: people! Even by deploying new security features, they won’t prevent people to share and disclose sensitive stuff publicly. Then the real presentation started. HITB is based on two main tracks at the same time, some workshops (track #3) and lighting talks during coffee breaks. As usual, you’ve to make choice between concurrent talks.
My first choice went to Laurent Oudot, a French security researcher about the extraction of sensitive data from iPhone devices. The talks was talked “iNception” because could extract lot of information from the devices memory and they liked the movie 
The goal was to review some offensive concepts around iOS devices and to share the findings. Laurent already presented some security stuff around iOS devices last year. He first came back to the previous issues and reviewed what changed. Some actors reacted properly and fixed the security holes (Thalys), others did not ever respond (HTC). First topic, how to find vulnerabilities in the smartphone world? There are multiple ways:
- Reverse engineering
- Behavior analysis (log, sniffer, memory, file system)
- Fuzzing
- Audit
- Pentest
To fuzz the device, some URL schemes can be used like: “<a href=’sms:” or “<a href=’tel:“. Audits may reveal interesting stuffs like the one present in the iOS 4.3. This versions proposes a new feature called “personal hotspot“. Nice but the WPA key is displayed in clear text on the console… Pentests may use “regular” applications available on the AppStore (read: “approved by Apple“). Those applications could be dangerous if not properly used (Example: AirContact). Then Laurent came back on the “location issue” disclosed soon and fixed in the iOS 4.3.3. He explained how to get rid of the data stored in the “consolidated.db” file:
- Using a jailbroken device, there is a Cydia application available. But it requires a running daemon on the device consuming some CPU cycles & battery.
- For an official device: backup, change the file and restore. Be the file will constantly be fed with new data, the operation mist be performed on a recurrent way.
- Upgrade to iOS 4.3.3
But there is another way (if you can’t or don’t wan to upgrade). The consolidated.db is a regular SQlite file and triggers can be added to SQL commands like “INSERT“. An “auto-delete” trigger can be implemented. More amazing, the iOS has many SQlite files to store sms, contacts, calls. By adding more triggers, it’s possible to implement an anti-forensic protection (auto-deleted, injection of fake information) or to backdoor to data by copying then to hidden tables! The next demo was a phishing attack against an iPhone by hijacking a local application (no exploit!). Just prepare a fake loging page and access your victim device physically. Very easy! Who’ll refuse to help a nice lady asking “May I use your mobile 30 seconds to call my boss?“. She could replace your regular Facebook application icon (moved to another screen) but a webapp linked to your rogue access page. More funny, the iOs has many URL schemes even not documented like:
- fb://profile/
- twitter://
- ppclient://
- portscan://
- ssh://mobile@alpine@127.0.0.1
Finally, Laurent gave a tip to detect jailbroken remotely. A very interesting talk. The conclusion is that mobile users require more security awareness. A modern mobile is a very nice target and is as vulnerable as a regular computer. The next talk focussed on XSS vulnerabilities. Well know and easy to reproduce by displayed nice “Pwn3d” alerts, Claudio Criscione explained how to go deeper and really use them during pentests. First Claudio explained that XSS are easy to find but using “alert” alone is irrelevant! Why not use the XSS for more malicious purposes? How to bridge the gap between MetaSploit & XSS attacks? Don’t forget that XSS are still relevant vulnerabilities! According to Claudio: “Using an alert today vs actively exploiting the XSS is closer to running Nessus than using Metasploit“. Then he explained the idea he had and how he build a new MetaSploit module to really take advantages of XSS holes in web applications.
After the lunch break, I attended another talk related to pentesting. Elena Kropochkina and Joffrey Czarny explained how to use “webshells“. What’s a webshell? It’s a piece of malicious code running on a victim host and which help the pentester to perform lot of interesting tasks like:
- File management, upload, download
- Execute system commands
- List ports, process
- Send e-mail,
- En(de)code
- etc.
They are webshells available on all common web platform (PHP, ASP, Java). Well known names are C99, FaTaLisTicq, NFM, R57, PHPJackal, Zehir, JspSpy. But most of them are detected by antivirus. To bypass them, obfuscation techniques are mandatory. Elena & Joffrey reviewed common techniques to obfuscate code. Example on PHP, hash the function and variable names, remove spaces, newlines etc. The problem with webshells: they have been developed for malicious activities and are not oriented to pentesting. That’s why Elena wrote a new webshell with more features:
- A unique framework (PHP ASP JSP)
- Protection (encryption of executable code)
- Client-agent architecture
- Integrity verification
- Key encryption locking on the pentester IP address
- Bypass ID(P)S and WAF’s
- Source code encryption
- Encrypted commands between the agent and server
- Protection against malicious re-use (unique password for each agent)
- Modular structure (based on modules)
Some demos were performed. Nice project still under development. There is no plan to distribute the tool but it could be really a “plus”. Nice job! After webshells, we focused on SAP with Mariano Nunez Di Croce. Why is SAP? Here are some facts:
- 140K implementations worldwide
- 90K customer, 120 countries
- Fortune-500
- Business critical (govern, military, etc…)
Enough to make SAP a nice target! Last year, Mariano already presented some cool stuff about SAP. He was back with more funny demos! His topic focused on the security of standard SAP web applications (not custom). SAP traditional security is based on “separation of duties” but it’s not enough. The forgotten layer is the business runtime which involves much higher risks! Did you know that the number of “security bulletin” published by SAP exploded? 900 by end of 2010! SAP also implemented a “security day” like Microsoft. They also released some white papers related to security. The biggest issue remains the visibility of SAP on untrusted networks or directly on the Internet. SAP instances are easily detectable via Shodan or Google. SAP can be reached via different architectures:
- SAP ITS (Internet Transaction Server)
- SAP ICM (Internet Communication Manager)
- SAP EP (Enterprise Portal)
SAP instances can be easily identified via server banners, error messages, some components versions are even available in the HTTP source code. A typical SAP ECC install contains 1500 standard ICF services! Some are public and reveal interesting information (Example: /sab/public/info). Many SAP system are shipped with default password: SAP*, DDIC, EARLYWATCH, SAPCPIC and TMSADM. Mariano made several demos using SOAP RFC service. He also bypassed the authentication process using BurpSuite. Nice! What to conclude? SAP systems are connected to the Internet, SAP has different web technologies: understand them and how to secure them. Hopefully, SAP is working on security: The demo works only if not following SAP security recommend.
To close the first day, I planed to follow the track about the reverse engineering technique of the ticketing system of public transport systems. But for legal reasons, it was canceled (more details here). My alternative choice was to follow a presentation about ASLR in iOS or Silverlight/.Net issues. Definitively not my cup of tea. I skipped them. Second talk cancelled today: the one about OpenLeaks by Daniel Domscheit (absent due to illness).
In parallel to the talks, the CTF contest is ongoing as well as the Lego robot challenge day for HackerSpaces. The HITB team releases material after each presentation, keep an eye here! Stay tuned for the second day!
HITB Amsterdam 2011 Coverage
In exactly one week, the 2nd edition of HITB Amsterdam (“Hack In The Box“) will be already over. As you see their logo on the left, I’ll attend the event and perform a coverage via Twitter and my Blog (Thanks against to the organization for the invitation!). I’ll be in Amsterdam next Thursday and Friday, feel free to poke me if you’re around.
For this second edition, the format remains the same as many conferences: two first days dedicated to trainings, two other days for talks about hot security topics and lot of fun with a CTF contest, the hackerspaces and lockpicking villages, the labs (or workshops) and SIGINT (or lightning talks).
As usual, here is my wish list for the talks:
- Keynote by Joe Sullivan (CSO of Facebook)
- iNception – Planting and Extracting Sensitive Data From Your iPhone’s Subconscious by Laurent Oudot
- MetaXSSploit: Bringing XSS to Pentesting by Claudio Criscione
- WebShells: A Framework for Penetration Testing by Elena Kropochkina & Joffrey Cazrny
- Your Crown Jewels Online: Attacks Against SAP Web Applications by Mariano Nunez Dri Croce
- She’s Got a Ticket to Ride: Fake MIFARE Tickets by Epto
- Openleaks Exclusive by Daniel Domscheit-Berg
- Credit Card Skimming and PIN Harvesting in an EMV World by Daniele Bianco & Adam Laurie
- Let Me Stuxnet You by Itzik Kotler
- Attacking Critical Infrastructure: Behind the Scenes by Maarten Oosterink
- DNSSEC: The Good and The Very Bad by Bert Hubert (CEO of PowerDNS)
- Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously by Andrew Gavin (Creator of OpenDLP)
See you there or stay tuned for more information…
Censorship Does Not Increase Security!
ENISA published in September 2009 a press release about the huge increase in ATM fraud. The title spoke by itself: “Annual cash machine looses in Europe approach EUR 500 million: ENISA provides advice for consumers.“
The last talk scheduled during HiTB Amsterdam last week was canceled and replaced in last minute by the one of Job De Haas. The time was normally assigned to Raoul Chiesa who would speak about the “underground economy“. Due to pressure coming from the ATM vendors, he was forced to cancel his talk. Raoul is a well-know security professional:
- Infosec professional via mediaservice.net
- Permanent stakeholder group at ENISA
- Contributer to the OSSTMM project
- Founder of CLUSIT
- etc…
I don’t know what was the content of Raoul’s presentation but he already presented it during the Confidence 2009 and NullCon conferences! Why was he suddenly censored? Instead of putting the pressure on a reliable security researcher and known as an ethical hacker, why do not ATM vendors try to fix the existing vulnerabilities? Censorship does not increase the security! Instead of paying lawyers to track people who try make things more transparent… “Fix That Shit!” (like said Joe McCray)
Hack in the Box Day #2 Wrap Up
Second day is over! And with the same fun as yesterday. After a (too short) night, some coffee was welcome just before the keynote presented by Mark Curphey from Microsoft. Mark revealed 10 crazy ideas that might change the information security industry with a little cost in money but a big impact (like the OWASP project). Here is his wish list:
- Adopt the Chinese medicine business model: Pay the doctor when you’re healthy!
- Stop human pattern matching: The human brain is not performant enough for that!
- Community driven statistical modeling: Formulas exist in lot of domains (ex: even to compute the wine quality). Where is the security equivalent?
- Teach kids computer security (Hackety Hack! is a nice project)
- Make developing countries center for security excellence
- Make hacking a competitive sport (like CTF contests)
- Connected information security framework (not enough interaction between existing databases or tools)
- Embrace design driven security (more features added to security product may result in a total mess)
- Crowd source access control
- Adopt agile mindset (agilemanifesto.org)
Brilliant presentation by Mark. As he said in the beginning: “No bullet points, no compliance, no PCI, …“. Just facts!
During the first set of talks, Roelof Temmingh presented Maltego v3. (Breaking news: the free version of Maltego will be available in a few days and will have less restrictions than the previous version!). As I already followed Roleof’s presentation during BlackHat Europe, I decided to attend a session about SAProuter: “An Internet window to your SAP platform” by Mariano Nunez Di Croce. I don’t have any experience with SAP but it can be useful to understand how vulnerable it is (as SAP is deployed in most big organizations). Mario reviewed the current security landscape for SAP product. It is clear that more and more vulnerabilities were discovered and the trend continues. Then he explained what is SAProuter. This is an application acting like a reverse-proxy which is used to give access to SAP resources for external partners like consultants or developers but also to the SAP support for remote management. That’s why SAProuter is a mandatory component in your infrastructure. Often people say: “My SAP is not available on the Internet” but have a look at the following Google query: inurl:/scripts/wgate. Even if SAProuter includes some security checks, they are sometimes badly configured or not configured at all.
BizSploit is an ERP penetration testing framework (“MetaSploit alike”) developed and used by Mario’s company to help assessing the security of SAP systems. BizSploit allows to scan, discover SAP resources and perform brute force attacks thru the SAProuter application. Even more funny it can also act like a SOCKS proxy and potentially forward traffic to ANY service on ANY host in the organization of the SAProuter is not properly configured. After the offensive part, Mario switch to the defensive part and gave some ways to increase the SAProuter security. It was a cool presentation. If you have to assess SAP environments, I recommend you to have a look at BizSploit.
Chris Hofmann, from Mozilla Corp, spoke about the future of Firefox (version 4). As the browser becomes more and more the primary tool to access applications and resources, it is clear that security is critical. Mozilla focuses on the following points:
- Security
- Stability
- Compatibility
- Memory use
- Speed
- Features
Chris reviewed the current security program developed by Mozilla to keep the security to the highest level (example: the Mozilla’s Bug Bounty Program). In the second part of his talk, he presented the future Firefox 4 (actually in beta-phase). To be kept in touch with new beta, releases etc, keep an eye on developer.mozilla.org/devnews/. What’s new in Firefox 4?
- Support for HTML5
- WEB Sockets
- Retain layers and layers contents
- CSS transitions
- WebM, 64bits builds
CSP (“Content Security Policy“) is a new feature to help the web developers. Remember that the web was not designed for user generated content. XSS attacks are still an issue as there is no way for the browser to differentiate the legitimate and injected content! CSP helps the browser to decide what to do with the content:
- Identify the abnormal behavior (what’s allowed and where it must come from)
- Specify a policy file
- enforce or just catch and report
Here are some basic examples of policies:
allow 'self'
allow 'self'; frame-src ads.net
allow 'self'; img-src *;
object-src *.teevee.com;
scripts myscripts.com;
This sounds like an interesting feature but, as usual, it must be used in the right way. Same as a firewall, if you define a rule “ANY:ANY permit”, you loose all the benefits! This is one feature that you have to keep in mind in the coming months.
After the lunch, Fyodor Yarochkin came back (he already talked about the Russian underground activity yesterday) with a new topic: “Xprobe-NG – Building efficient network discovery tools“. Fyodor is participating into this project and covered the current improvements done on his tool. Xprobe started as a project to perform remote fingerprinting using ICMP queries. Others protocols were added later (fuzzy fingerprinting). The NG version explores other protocols, performs bulk scanning, supports IPv6, honeypots. The results are also improved by cross-correlation over time (between the layer 7 and the network layers). The “enRoute” module findings are: caching systems or transparent proxies, L7 switches, reactive IDS/IPS, application firewalls. The honeypots module is able to detect virtual machines or networks and incomplete services by analyzing the IP flows.
Improvements of the new version are:
- Minimizing the network load
- Improving the precision (via the cross-correlation)
- Improving the usability (via language extensions in Python
Future developments: collect multiple dimensional data (time – sources – targets).
Even if lot of us are prone to open source solutions, we have to admit that most of the tools used are based on closed source software. How to rate the security of those applications? That was the topic covered by Michael Thumann. One problem today is the “webification” (what a scary word) of applications. Security of web applications became a hot topic and is more and more correctly addressed (let be positive, can we?). But what about all the components running on “closed source” solutions beyond the web application? There is a clear lack of tools to test those solutions. Standard approaches are:
- Reverse engineering : requires high skilled people and lot of time. All components must be analyzed (.exe, .dll, …).
- Sandboxes : useful to detect backdoor or targeted attacks.
- Fuzzing : Common approach now but is also time consuming and each interface must be fuzzed.
An alternate approach is to base the code quality on a metric. Metrics are common and easily comparable (20 > 10, no debate possible). But what to measure? Compiler options, Visual Studio version, signs for code obfuscation, import tab, … are good indicators. Once the measures are done, how to weight the results? By implementing some mathematical formulas. And finally, the analyze must be portable (to Linux or MacOS binaries). It must be operating system independent. A live demo was performed: several files were scanned from different sources (from anti-virus vendors, Windows XP, 2008 and well-known malwares). Binaries from 2008 are much more safer (based on the metric computed by Michael’s tool – tticheck) and almost all malware binaires where reported as “bad”. This is an interesting approach to rate close source applications, especially with a hugh gain of time.
And finally, last minute planning change. Job de Haas presented his work about “Side channel attack of embedded systems“. Embedded systems are based on micro-controllers (USB sticks) or processors (game console, DVD players). Side channel attacks are based on time, power consumption, electro-magnetic radiation, light or sound. Data can be collected by statistics. After a comparison of both types of devices, Job performed live demos. First, how to create the optimal environment to discover a vulnerability. Steps:
- Control the crypto
- Linking data and measurements
- Efficiency of acquisition
- Increased speed vs. increased complexity
After a review of different attacks, how to assess the security of a device? There are hardware countermeasures available (random interrupts, shielding, …) and software (randomization, protocol design, …)
Voila, the first European edition of HiTB is over! I’d like to thank again @fish_ for the access to the conference. Let’s hope that HiTB will be back next year. I liked the main room with the coffee and hacker spaces. Good ambiance, lot of discussions with nice people.
Now that all the Dutch people are watching the world cup on television, it’s time to go back to $HOME
Related website:
Hack in the Box Day #1 Wrap Up
The first day of the HiTB security conference is already over! HiTB (“Hack in the Box“) organizes conferences for a while in Dubaï and Kuala Lumpur but this is the first time that an event is held in Europe and not too far from Belgium. I left home very early this morning to avoid the traffic jams to Amsterdam.
Registration done, some coffee with known people and ready for a day of technical talks about risks on the Internet. A welcome message was presented by Rop Gonggrijp, founder of the dutch magazine Hack-Tic and later of XS4ALL, one of the first Dutch ISPs. He spoke about the growing amount of information collected by companies and government agencies and the associated risks.
Rop’s introduction was immediately followed by the keynote of Dr Anton Chuvakin. The topic was the “security chasm“. It was a long presentation about the different security approaches: one about “improving the security” and the other about “cleaning up the mess“. What’s the job of security professionals? To ensure that the business runs and if they don’t succeed some regulatory body would come and beat them up. He also compared the security to the seat belts: Do you prefer the death or a risk of 50€ fine? Theoretical but interesting presentation.
Then, the technical talks started after a short break. The first presentation I attended was the one of John ‘Kanen’ Flowers about his Kane|Box. John briefly reviewed the big steps in the history of security (from the Phrack and 2600 magazines, the BBS, vulnerabilities, exploits, etc). Today’ main problem concerns the security tools available: they are based on 10+ years old logic. Some big names became commercial (like Nessus or Snort) and commercial software are very expensive and, sometimes, with bad results. One of the fact is: “Your network is unique and constantly changing“. That’s why he decided to create the Kane project. This is an open source (and he insisted on this point!) vulnerability and exposure framework which uses statistical information to detect security issues. Instead of being signature based, it learns patterns from behavior. Why is it open source? John’s point of view is: “Don’t trust anything if you can’t fully understand how it works“. The software is:
- made for actual users
- affordable
- should do everything
- proposes multiple interfaces (web, console)
- and … anyone can make it better.
The solution is available as a pack “software + hardware” for a very low price (more information: www.kane-box.com). Note that the software is also available as a VM image.
With Fyodor Yarochkin, we dived into the Russian underground forums. He analyzed with a colleague, dozen of Russian web forums and tried to discover and understand the hacker’s culture. First, Fyodor explained the difficulties. Everything had to be analyzed manually due to the language used by the hackers (specific terms, no standard formats, etc). What the study revealed?
- It’s a business (100% money driven)
- The classic targets remains the average PC users (read: your Dad and your Mum)
- Attacks are: extrusion, job recruitment, services and offers
- Virtual money is used and washing money processes are developed (ex: via iTunes card, Skype credits, …)
If you need money and have ideas, you win! Everything has a price and can be sold: passports, credit cards, SIMM cards, … Example: a Dutch passport is already available for $8000. Even “packages” are sold (1 passport + 1 cc + 1 SIMM). Perfect to build your new fake identity. Network “services” are also for sale. How much does it cost to bring Twitter down? $80/day!
The first talk after the lunch was about mobile phones. As the Internet traffic generated from mobile devices is constantly growing, it is clear that such devices became interesting targets. There was two concurrent sessions related to mobile devices security. I attended “Hijacking mobile data connection – State of the art”. The second has been resumed on securitybananas.com. The goal of the hijacking session is to reconfigure the mobile device to force it to redirect all its HTTP(S) traffic to a proxy. This is completely transparent for the end-user! But, it happens always due to an unsecure behaviors like by accepting a SMS message spoofed from the mobile operator or by installing a suspicious application. Two types of devices were covered: the iPhone and Android platforms. The speakers (Roberto Gassira & Roberto Piccirillo) gave lot of details about the way the malicious SMS are generated. The goal is to let the mobile phone owner to load a new profile which will reconfigure the network settings as silently as possible. Once done, an Apache server with mod_proxy, mod_security and SSLstrip will do the job. All traffic will be redirected to the proxy and can be decoded. It’s also possible to perform injection of code. For the Android platform, this can be achieved via a rogue application signed and uploaded on the Android market! According to the Google contract, an attacker is free to publish an app that change settings. The ultimate solution to protect you is maybe to run your own base station?
- (Click to enlarge)
“Owned live on stage – Hacking wireless presenters” by Niels Teusink. Wireless presenters are the speakers’ best friends. They are easy to browse thru slides but, if you analyze them, they can also be a potential issue. At operating system level, the wireless presenters are detected as a regular keyboard! Even if they have a limited set of keys, this means that they could potentially send any type of keystroke to the computer. That’s what investigated Niels. He focused on a well-know model from Logitech. Using USBee SX, he performed some reverse engineering to understand the protocol used to send data to the host. Once successfully done, he created his own wireless presenter based on an Arduino micro-controller. The demo was funny: Step one, search for available hosts with an USB remote control dongle. Select the right channel and just send your sequences of keystrokes. The demo used MetaSploit and VNCconnectback.exe to gain a remote access on the host. But a lot of other attacks could be easily performed: open sessions to other computer resources (FTP, SMB, etc), create user accounts. Nice research. What are the countermeasures to prevent this type of attacks? Of course, encryption and use specific protocols and not dumb keyboard codes.
After a coffee break, last talk of the day: FireShark. Today all websites are potential targets, even big names. In 2009, the amount of compromized websites increased by 225%! Fireshark project has been founded by Stephane Chenette. It was the same presentation has the one done during BlackHat Europe in Barcelona.
- (Click to enlarge)
In parallel to the talks, lightning-talk sessions were organized, a CTF contest, lot of demos made by international hacker spaces. There was also a nice social engineering concept: Very nice “girls in black” trying to convince people to register on www.hitbjobs.com. Safe or not?
The venue is very good. Wi-Fi coverage, coffee, sweeties, air-conditioning (mandatory with the current weather) and enough power cables! The HiTB team did a good job! After the official day, we went to the center of Amsterdam with some HiTB volunteers for a cool lunch.
If you want to follow the presentations and what’s happening “life”, follow the official Twitter hashtag: #hitb2010ams. Nice initiative from the organization: presentations are released on the website a few minutes after the talk (the material is available here). Stay tuned for the second day!
