I’m writing this wrap-up from the Dublin airport, waiting my flight back to Belgium. This new edition of SOURCE is already over. What did we learn today?
I’m writing this wrap-up from the Dublin airport, waiting my flight back to Belgium. This new edition of SOURCE is already over. What did we learn today?
The conference SOURCE Barcelona 2011 is already over. Waiting for my flight back to Belgium, it’s time for my wrap-up! This year, an OSSEC training was initially scheduled with my friend Wim Remes but it was cancelled due to the lack of registrations. It looks that “defensive” security trainings do not have the same success as “offensive” ones. It could be interesting to analyze why! Anyway, we are ready to give the training during another conference, just contact us! (personal marketing Being free, I proposed my services to the SOURCE organizers as volunteer.
After a smooth flight to Barcelona, I arrived on Tuesday evening just in time to take part to the speakers party at the apartments reserved for the conference. That’s something really unique (from what I know) to SOURCE: speakers, crew and some participants are sharing a bunch of apartments instead of hotel rooms. That’s a unique way to meet old and new friends and to continue discussions about security topics once the talks are over (and sometimes, to have some party time – honestly )
After a long (or short – depending on the way you address the problem) night, the first day of talks started. Same place as last year: the MNAC. But something new this year: instead of split between technical and business, tracks were organized in parallel based on the language. In room #1, talks in Spanish and talks in English in room #2. Good initiative to offer quality talks to Spanish people if some were not very fluent with the Shakespeare language. That’s also the goal of security conference: offer quality content to local people who cannot always travel thousands of kilometers. As a volunteer, I was busy with the video recording of the Spanish talks. A good opportunity to increase my Spanish knowledge which was close to /dev/null. Presentations highly technical with the support of slides, it was quite “understandable“! What did I learn?
Xavier Mendes and Christian Martorella presented wfuzz, a fuzzer for web applications. The presentation was mainly a review of the core wfuzz features. I won’t list them here, just have a look on the website. It looks like a good tool for pentesters.
Manu Quitans and Frank Ruiz explained how cyber-criminals work from a technical point of view. They explained the infrastructure deployed by a bad ISP operating from Eastern Europe to deploy malwares, software packs etc. They also reviewed of the business runs on the dark side of the Internet.
Just before the lunch, Jose Selvi presented a very interesting talk about new ways to use covert-channels. In information security, a covert channel is:
“a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.” (Source: Wikipedia)
Today, classic covert-channels are usualy detectable and it became more difficult to use them. A very good example is the DNS tunneling. So, new techniques must be used to be able to safely/quietly extrude data from an attacked network. Jose explained that, again, HTTPS is a good friend. As many modern web 2.0 websites have multiple ways to generate content, why not use them as a covert-channel? For his proof of concept, he developed a nice tool called “facecat” (for “Facebook Netcat“). By using his tool, you could use Facebook as a pipe wall. Awesome demo! Follow Jose on Twitter, this is a cool guy!
After the lunch, talks started again with a presentation about the Android platform: The analyze of Android applications (“How’s your Android Kung-Fu“) by Guerrero Selma (Malware Intelligence). By reversing a malware, Guerrero explained how security features are implemented on the Android platform and how they can be avoided. He also showed a live demo of a TapJacking attack which is normally fixed by Google but which still affect most Android devices.
Jordi Serra-Ruiz talked about stenography. After a definition of “stenography”, Jordi also reviewed its history. Forever people have tried to hide messages. You know, Alice sending a message to Bod and intercepted by Eve. Several techniques were invented and using during centuries: by hiding some letters or words inside a text (and revealed using a “mask”), by using invisible ink, by using microscopic fonts. Today, in the digital era, the same problem remains but other techniques emerged. One of them is the “Least Significant Bits“, “Fast Fourier Transform” or “Discrete Wavelet Transform“. I liked the history, good idea!
Daniel Pelaez presented “Security Godness with Ruby on Rails“. This development framework became quickly popular amongst web developers. But is it secure and how to make it more secure? That was Daniel’s topic. He started with a basic introduction to RoR. Basic defense points remain the same (authentication, authorization, sanitization, etc). By default, RoR may reveal interesting/dangerous stuff: It’s easy to detect Ruby versions based on the default error pages. Then Daniel reviewed a checklist of points to address while auditing a RoR application. From my point of view, it’s just applying the OWASP Top-10. Nothing new here. Tip: there are plenty of Ruby plugins which can help you to increase the security of your web application.
Last talk for day one about the cloud computing! What a surprise! This one was more business oriented. Antonia Ramos Garcia explained what is the “rating” of something. And particularly, how to rate the risks of applications moved to the cloud? Rating can be represented by lot of symbols (“AAA”, “A1″, “A+”, etc) but everybody must agree on those representations.
The day finished with a restaurant and some drinks in the center of Barcelona.
Second short night, second day of talks! Today all the talks were presented in the same room. The first one was performed by Stefan Friedli (@stfn42). “How to NOT to do a pen test” (I liked the mention “good morning edition“). The presentation was close to the one presented at BruCON. As I missed it, it was a good opportunity to finally listen to Stefan. First approach, who need a pen test? To request a pen test, you first have implemented basic security. If your systems are not properly patched, fix your shit first! Then, what’s a good/bad pentester? How to do things correctly. A few months ago, Stefan started with friends the “PTES” project. He was involved in the “reporting” aspects. Some good examples of “bad” visualization were showed. Note that the first version of the PTES is not available for comments. Get it and review it!
Second talk was performed by Josh Pennell: “There’s an App for That“. Another talk that I missed at RSA Europe last month. Could we imagine that a few years ago: “Your smart phone has more power than all of the NASA in 1969!“. After a small history of smart phones and some market facts, Josh reviewed the actors attacking mobile devices: script kiddies, hackers and organized crime, nation states and government sponsored! Without forgetting the insiders! Mobile devices contain huge interesting data about your life! Some of them could be very valuable! Some threats are political: mailboxes monitored, mails forwarded to 3rd party servers, etc… There are also legal threats: Who owns the device? Who’s responsible for its security? How/where are stored the data? The infrastructure could also be attacked (OpenBTS). The operating systems used by mobile phones have also vulnerabilities. ALL devices have vulnerabilities and malwares (mobilespylogs.com). By default phones parse a lot of file formats by default and without user consent! (PDF, MP3, RTF, DOC, XSL etc…). This talk was excellent to discuss further about the “BYOD” (“Bring Your Own Device“) issues faced by companies.
Third talk by Iftach Ian Amit (@iiamit) about data exfiltration. First, how to break in? Using exploits! All organizations have plenty of applications, systems which can be broken. How?
SET is your best friend (a tool present on the BackTrack Linux distribution). You may also create some kind of association with your target (ex: smoking areas or coffee machine are very nice place to gather interesting information)
The next step is targeting. A goodtTip: from a defensive point of view, use the same tools as attackers to make a map of your organization across social media, search engines etc. This could reveal interesting stuff. Pay attention to : file servers, DB, file types, gateways, printers. In some cases, patience is required: There is a huge difference between APT (5-6 months to be detected) and a mass infection (5-6 days)! Finally, the third step: exfiltration of the data you found. As IDS are based on signatures, our goal will be to work below the radar. Example: by using encryption but it remains suspicious! A signature headers removal or a simple XOR will often do the job. But we are lucky: With web 2.0 tools, “resistance is futile“. It’s very easy to put data online. Open a blog, create articles with your encrypted data, get them via the RSS feed and recompose your data. Data can be printer encrypted. Often they will be compared to garbage and put directly in the recycle bin. Just grab them and use an OCR software to get the data back (another tip: choose a good font). Use Talk pages in Wiki (not displayed by default). And after all, why not send your files thru a regular phone line? We saw a demo of data2sound.py / sound2data.py. This pair of tools create a wav file from an ASCII file. It’s easy ro record the wav file on a voice mailbox!
During the lunch, I met very interesting people e.g. a guy from the Japan CERT (sorry, don’t remind his name) and a US lawyer, David Snead. David is specialized on the ISP business and presented the first talk of the afternoon with Nadeem Bukhari about legal & technical strategies addressing data in the cloud. One of the key question for regulations: When is there a breach? How to define a breach? They don’t have a unique definition! In the US, breach notification is legal! Second step: who will pay? After the theory, Nadeem explained why things go wrong. Big names were used: TJX, Amazon, Google, RSA, NASA, ESA. Regarding patching: virtual systems are 60% less secure than their physical counterparts (source: Gartner) and Deloitte said “Audit trails/logging issues” is in top-5 of internal/external audit findings. Nadeem insisted on the digital evidence of audit trails. Interesting talk…
Last minute planning change. Josh Kebbel was not available. Chris Nickerson replaced him with an awesome presentation. Fully based on funny pictures, Chris compared the attack techniques of several civilizations and countries. He said “The only patch for human stupidity is experience“. When you are attacked, you have always an advantage: you know your environment. Chris has always plenty of real-life examples like the one with is fixed roof but window left open. This is the same in information security (your users will be stupid things). Keep in mind:
What to attack?
The last speaker was Josh Kebbel who spoke about a new approach to software development at Adobe. To fight against the growing number of exploits targeting the Adobe products, they decided to set up a group called “ASSET” (“Adobe Secure Software Engineering Team“). Interesting, people participating to the program have a level identified by a “karate” belt (white, green, brown, black). Base on a “Security Certification Program“, they increase security awareness across the people. It looks like a good internal initiative to increase the security of their products.
This is over for 2011! I met new Twitter friends in real life, meat good friends, had good times not it’s time to get some sleep to recover! Thanks to the SOURCE crew for this conference!
Information security is a recurrent process. New threats arise and must be properly handled.
In Augustus 2009, I already reported a story and came to the following conclusion: The principle of “action – reaction” as described by Newton is not applicable in information security!
Here is another good example with the following post I read in a forum:
Here’s a interesting delima that I just came across, scanned pdf attachments that have privacy information, within the document.
Have anybody seen any solutions that will detect this and alert or block on this information?
I’ll post a sample of what I found during a audit so you can get an ideal of what I’m seeing. Most of the DLP solutions that I’ve seen has no engine to detect SSN/DOB within a graphical attachment or pdf for example.
A standard DLP (“Data Loss Prevention“) solution in this case will be helpless! Most DLP solutions are able to search across text documents for sensitive data. But in this case, a scanner produces a graphical representation of the data and would require the help of OCR (“Optical Character Recognition“) technologies. This would consume a huge amount of resources!
Instead of using the “action – reaction” principle, a better approach would be to analyze the data used inside the organization. When I read this post, the first question which popped out of my mind was “WTF, Why people tried to send SSN within attached scans?“. Organizations are responsible of data processed inside their perimeter and have to implement data management procedures following well-known principles like:
With the help of a deep analyze and by implementing correct upstream procedures (“at the source of the problem“) most threats could be fixed or greatly reduced. Deploying a software or hardware solution in emergency is never the right solution:
To conclude, my message is certainly not that DLP solutions are useless, certainly not! (Dear DLP v€ndor$ don’t shoot me! ) They could be very useful to detect suspicious activities but do NOT entirely rely on them! They goal is not to be used as a first layer of defense! Have a clear view of the data types used by your business and how they are processed by your IT infrastructure.
The second day of SOURCE Barcelona is already over. I’m at the airport waiting for my early flight and crossing my fingers due to the announced French air controllers strike. BruCON is now at our doors and we need to build everything tonight.
What about the second day? Well, it started with difficulty due to the short night. The “business” room was reserved for a round-table with some anti-virus developers about the product testing. This session was broadcasted live.
I first attended the talk of Josh Pennell (from IOActive) about the smart grid security. The talk could be resumed in one sentence: “It’s time to act without delay“. Huge investments have already been realized by lot of countries but (can we say “as usual”) with a lack of investments regarding the security of those devices. Josh reviewed the different types of hardware used, the software and the different applications. Some attention to the specific ones: its could be potentially possible to detect personal behavior patterns (privacy) and some smart-grid devices are used to sell electricity to producers (like photovoltaic systems). An interesting reading about smart-grid security: the NIST-7628 document.
The next talk was performed by Val Smith. He reviewed the China’s hacking community. How Chinese hackers bad guys evolved and which tools and methodology they use today. Lot of tools were reviewed.
The third talk was really interesting and directly in the scope of the SOURCE conference philosophy: “Forcing hackers and business to ‘hug it out’“. Andrew Hay and Chris Nickerson gave some pistes to increase the communication between the two worlds. In fact, security is critical for both of them but based on different views. Great talk because almost everybody can identify itself on one of the groups.
After the lunch, Bruno Oliveira and Jibran Ilyas came back on the different types of players in the security field: the black hats (who perform malicious activities), the pentesters (which evaluate security) and forensics analysis (who search for evidences). For each of them, Bruno & Jibran tried to demystify some facts. A good idea to remember: “root/administrator is not everything. It’s just a start! Data are valuable“. Bad guys are humans and make mistakes. That’s what they can often by catched!
Then I switched back to the “business” room to follow the Nick Copeland’s track. Nick is working for Fidelis and the talk was really oriented to their products. Too much commercial. I did not attend the whole track and join the major part of the audience to follow Iftach’s talk about cyber-crime. A better choice.
Wim Remes performed his presentation about SIEM environments and ten things what we are doing wrong. Wim gave nice advices for who has to start a SIEM project (and the word “project” is very important). Finally, Vincente Diaz & David Barroso presented their research about the well know forum carders.cc. If you are looking for illegal stuffs to buy, it’s the place to be. I liked the presentation of a regular user profile based on statistics.
Like said yesterday, SOURCE is a small conference and that’s what makes it unique. After the talks, Stacy (who organize the event) hold a quick Q&A session. Everybody was invited to give some feedback and some expectations for the next editions. That’s less impersonal (compared to a classic form) and help to build better events. Congratulation Stacy! Do I have to say that the social aspect was at the highest level? Lot of beers, cocktails, nice food (Barcelona is an amazing city for this) but, even more, good discussions between infosec professionals.
This week promises to be a busy one. I woke up early to catch my plane to Barcelona! The flight was delayed due to a strike in France but I arrived not too late and just missed the keynote. Barcelona is a very beautiful city and the place where is organized the conference is amazing with a nice view on the city (more pictures to come).
This is the second edition of SOURCE in Barcelona. From the organizers, the number of registrations grew from fifty to eighty. Not bad! I found back a lot of friends. After all, that’s why conferences are also organized: To keep your network up-to-date! I like the SOURCE atmosphere, not too much participants is a good point. Two separate rooms with business talks on one side and technical talks on the other one. The rooms are nice and small enough to allow interaction s with the speakers (no need to use microphones), I like that! The ambiance is very relaxing and everybody feels like home. Interesting discussions with interesting guys!
What about the talks? This first day proposed good various topics:
One of the presentation I expected (Wim Remes about SIEM) was postponed to tomorrow due to a last minute planning change. If you would like to follow the conference via Twitter, follow the #SourceBCN hashtag, we are a few to post updates. That’s done for today. Now, let’s perform some social networking at the Socko restaurant not far from the beach
In exactly one week, I’ll fly to Barcelona to attend the SOURCE Conference. Flight and hotels are booked for a while, it’s now time to prepare to cover the event. The schedule has been published for a while with a good balance between technical and business talks. Here is my wish-list. I’m leaving Brussels early on Tuesday and I hope to be present for the keynote.
Depending on the network coverage, I’ll try to publish live comments using Twitter and post wrap-ups on this blog. I also hope to broaden my social network. If you want to meet, contact me!
The next SOURCE Conference will be held in Barcelona in September (21 & 22). If you plan to travel across Europe in September, have a look at the current schedule and stop in Spain. Immediately you will notice that talks are split in two categories: “Security & Technology” and “Security & Business“.
Some security events are known to be highly technical and/or going deeply underground. But I find the SOURCE approach interesting. Why? In many organizations, security is organized and maintained by two different teams: the “t-shirts” and the “ties“. The first one speaks about “bits & bytes” while the second is more focused on procedures, compliance and those kind of funny stuff. Honestly, I prefer to wear a t-shirt. But, after some years of experience, you have to admit that both are necessary and complementary: They have to work together to keep security to the highest level. Why don’t help them to learn from each others? That’s the purpose of the SOURCE events. As explained on the website: “The purpose of SOURCE Conference is to bridge the gap between technical excellence and business acumen within the security industry. “.
While checking the current schedule, I saw amazing speakers foreseen and I already met or know personally some of them:
To give you a good example of interaction between the technical and business presentations, let’s take Wim’s and Brian’s talks. Once you deployed your SIEM solutions, it will detect abnormal behavior and generate security incidents. How to deal with them? What about the incident management procedures? Brian will certainly give you some advices. This prove that everybody must work in the same direction.
This promises to be a great cocktail (to be consumed without moderation!) :