Hack in the Box Day #2 Wrap Up

Second day is over! And with the same fun as yesterday. After a (too short) night, some coffee was welcome just before the keynote presented by Mark Curphey from Microsoft. Mark revealed 10 crazy ideas that might change the information security industry with a little cost in money but a big impact (like the OWASP project). Here is his wish list:

1. Adopt the Chinese medicine business model: Pay the doctor when you’re healthy!
2. Stop human pattern matching: The human brain is not performant enough for that!
3. Community driven statistical modeling: Formulas exist in lot of domains (ex:  even to compute the wine quality). Where is the security equivalent?
4. Teach kids computer security (Hackety Hack! is a nice project)
5. Make developing countries center for security excellence
6. Make hacking a competitive sport (like CTF contests)
7. Connected information security framework (not enough interaction between existing databases or tools)
8. Embrace design driven security (more features added to security product may result in a total mess)
9. Crowd source access control
10. Adopt agile mindset (agilemanifesto.org)

Brilliant presentation by Mark. As he said in the beginning: “No bullet points, no compliance, no PCI, …“. Just facts!

During the first set of talks, Roelof Temmingh presented Maltego v3. (Breaking news: the free version of Maltego will be available in a few days and will have less restrictions than the previous version!). As I already followed Roleof’s presentation during BlackHat Europe, I decided to attend a session about SAProuter: “An Internet window to your SAP platform” by Mariano Nunez Di Croce. I don’t have any experience with SAP but it can be useful to understand how vulnerable it is (as SAP is deployed in most big organizations). Mario reviewed the current security landscape for SAP product. It is clear that more and more vulnerabilities were discovered and the trend continues. Then he explained what is SAProuter. This is an application acting like a reverse-proxy which is used to give access to SAP resources for external partners like consultants or developers but also to the SAP support for remote management. That’s why SAProuter is a mandatory component in your infrastructure. Often people say: “My SAP is not available on the Internet” but have a look at the following Google query: inurl:/scripts/wgate. Even if SAProuter includes some security checks, they are sometimes badly configured or not configured at all.

BizSploit is an ERP penetration testing framework (“MetaSploit alike”) developed and used by Mario’s company to help assessing the security of SAP systems. BizSploit allows to scan, discover SAP resources and perform brute force attacks thru the SAProuter application. Even more funny it can also act like a SOCKS proxy and potentially forward traffic to ANY service on ANY host in the organization of the SAProuter is not properly configured. After the offensive part, Mario switch to the defensive part and gave some ways to increase the SAProuter security. It was a cool presentation. If you have to assess SAP environments, I recommend you to have a look at BizSploit.

Chris Hofmann, from Mozilla Corp, spoke about the future of Firefox (version 4). As the browser becomes more and more the primary tool to access applications and resources, it is clear that security is critical. Mozilla focuses on the following points:

• Security
• Stability
• Compatibility
• Memory use
• Speed
• Features

Chris reviewed the current security program developed by Mozilla to keep the security to the highest level (example: the Mozilla’s Bug Bounty Program). In the second part of his talk, he presented the future Firefox 4 (actually in beta-phase). To be kept in touch with new beta, releases etc, keep an eye on developer.mozilla.org/devnews/. What’s new in Firefox 4?

• Support for HTML5
• WEB Sockets
• Retain layers and layers contents
• CSS transitions
• WebM, 64bits builds

CSP (“Content Security Policy“) is a new feature to help the web developers. Remember that the web was not designed for user generated content. XSS attacks are still an issue as there is no way for the browser to differentiate the legitimate and injected content! CSP helps the browser to decide what to do with the content:

• Identify the abnormal behavior (what’s allowed and where it must come from)
• Specify a policy file
• enforce or just catch and report

Here are some basic examples of policies:

     allow 'self'

     allow 'self'; frame-src ads.net

     allow 'self'; img-src *;
     object-src *.teevee.com;
     scripts myscripts.com;

This sounds like an interesting feature but, as usual, it must be used in the right way. Same as a firewall, if you define a rule “ANY:ANY permit”, you loose all the benefits! This is one feature that you have to keep in mind in the coming months.

After the lunch, Fyodor Yarochkin came back (he already talked about the Russian underground activity yesterday) with a new topic: “Xprobe-NG – Building efficient network discovery tools“. Fyodor is participating into this project and covered the current improvements done on his tool. Xprobe started as a project to perform remote fingerprinting using ICMP queries. Others protocols were added later (fuzzy fingerprinting). The NG version explores other protocols, performs bulk scanning, supports IPv6, honeypots. The results are also improved by cross-correlation over time (between the layer 7 and the network layers). The “enRoute” module findings are: caching systems or transparent proxies, L7 switches, reactive IDS/IPS, application firewalls. The honeypots module is able to detect virtual machines or networks and incomplete services by analyzing the IP flows.

Improvements of the new version are:

• Minimizing the network load
• Improving the precision (via the cross-correlation)
• Improving the usability (via language extensions in Python

Future developments: collect multiple dimensional data (time – sources – targets).

Even if lot of us are prone to open source solutions, we have to admit that most of the tools used are based on closed source software. How to rate the security of those applications? That was the topic covered by Michael Thumann. One problem today is the “webification” (what a scary word) of applications. Security of web applications became a hot topic and is more and more correctly addressed (let be positive, can we?). But what about all the components running on “closed source” solutions beyond the web application? There is a clear lack of tools to test those solutions. Standard approaches are:

• Reverse engineering : requires high skilled people and lot of time. All components must be analyzed (.exe, .dll, …).
• Sandboxes : useful to detect backdoor or targeted attacks.
• Fuzzing : Common approach now but is also time consuming and each interface must be fuzzed.

An alternate approach is to base the code quality on a metric. Metrics are common and easily comparable (20 > 10, no debate possible). But what to measure?  Compiler options, Visual Studio version, signs for code obfuscation, import tab, … are good indicators. Once the measures are done, how to weight the results? By implementing some mathematical formulas. And finally, the analyze must be portable (to Linux or MacOS binaries). It must be operating system independent. A live demo was performed: several files were scanned from different sources (from anti-virus vendors, Windows XP, 2008 and well-known malwares). Binaries from 2008 are much more safer (based on the metric computed by Michael’s tool – tticheck) and almost all malware binaires where reported as “bad”. This is an interesting approach to rate close source applications, especially with a hugh gain of time.

And finally, last minute planning change. Job de Haas presented his work about “Side channel attack of embedded systems“. Embedded systems are based on micro-controllers (USB sticks) or processors (game console, DVD players). Side channel attacks are based on time, power consumption, electro-magnetic radiation, light or sound. Data can be collected by statistics. After a comparison of both types of devices, Job performed live demos. First, how to create the optimal environment to discover a vulnerability. Steps:

• Control the crypto
• Linking data and measurements
• Efficiency of acquisition
• Increased speed vs. increased complexity

After a review of different attacks, how to assess the security of a device? There are hardware countermeasures available (random interrupts, shielding, …) and software (randomization, protocol design, …)

Voila, the first European edition of HiTB is over! I’d like to thank again @fish_ for the access to the conference. Let’s hope that HiTB will be back next year. I liked the main room with the coffee and hacker spaces. Good ambiance, lot of discussions with nice people.

Now that all the Dutch people are watching the world cup on television, it’s time to go back to $HOME 😉

Related website:

• The conference material