OWASP Benelux Days 2011 Wrap Up

The OWASP Benelux Days is a two-days event organized by three OWASP chapters (Belgium, Netherlands and Luxembourg). The 2010 edition was organized in Eindhoven(NL). This year, it was organized in Luxembourg. After a safe trip, sharing my car with a friend, we arrived at the Luxembourg University. Nice venue with all the facilities to make your life easier: nice room with enough power plugs for everybody, good Wi-Fi, coffee. The catering was also excellent (that’s also important! ;-))

The first day was dedicated to a training provided by Eoin Keary about “Secure Application Development“. 96 people attended the training, that’s not bad! When Eoin asked how many people are developers, hands raised up. When he asked who’s performing “secure programming“, much less hands raised. This proves that security is not yet in most developers’ mind. My feedback about the first day is a bit mitigated. First, the original training length is two days, difficult to review all the topics within one day, splides were reviewed very quickly. The morning was very “static”. Classic attacks and counter measures were reviewed. The afternoon was dedicated to live examples of attacks against a vulnerable website using BurpSuite. Bad point here, the Wi-Fi or the victim server were not properly sized and frequent timeouts made the exercises difficult to perform.

After the training, Professor Yves Le Traon came to talk about “Security Testing“. It’s a fact: Security testing must be promoted inside your organization! I liked the quote from A. Petrenko:

“In God we trust, for the rest we test“

Think about this! After an introduction about the testing concepts, more focus was given on XSS attacks and its XSS testing framework. A copy of slides about security testing is available here. Very interesting presentation. The day ended with a social event organized in the center of Luxembourg at Agua de Côco. Nice people, nice conversations.

The second day started with a presentation of the “Interdiscipliny Center for Security, Reliability & Trust” (securityandtrust.lu) and some news about the OWASP foundation. Did you know that OWASP already turned ten years? The foundation was created in December 2001. Happy Birthday OWASP! And it’s amazing to review the job performed since the creation. Some numbers:

• 15000 downloads per month
• 30000 unique visitors per month
• 2 millions hits per month
• 140 projects in 3 main areas: protect, detect, life cycle
• 220 chapters / 100 active ones

For easier administration and events organization, OWASP europe has been created in June 2011. What are the goals for 2012? Build the OWASP platform, expand communication channels, grow the community and financial stability (because money remains a key element everywhere). A very quote grabbed from a slide:

“You can’t improve what you can’t measure“

The rest of the day was dedicated to presentation covering several interesting topics. First, Brenno de Winter, a well-know ICT journalist in the Netherlands, presented a talk called “From Diginotar to Leaktober“. This was not a talk but more a story. Brenno came back on the Diginotar story, without any slides support.

This was my preferred presentation! What happened with Diginotar, why was Dutch public authorities affected by the attack, the crisis which followed. Very interesting. A good question from the audience: “Was the bad communication from authorities due to incompetence or something else?” Brenno’s answer: “Maybe both of them, they didn’t know how to handle this!”. This sounds like a good resume. Following this story, a Dutch web site decided to organize “Leaktober” event to prove that no data are safe!

After a coffee break, Justin Clarke talked about “Practical crypto attacks against web applications“. We need cryptography to keep the CIA (Confidentiality, Integrity, Availability). Based on a .Net demo website Justin showed that implementing encryption is good but must be performed in the right way. Otherwise it can be easily broken. Nice live demos were performed. The last one was how to get a configuration file from an application using weak encryption (based on the vulnerability describe in Microsoft Security Bulletin MS10-070).

Andrey Belenko presented his research about the iOS operating system with a talk called “Overcoming iOS data protection to re-enable iPhone forensics“. Forensics operations are based on three steps: Acquisition, analysis and reporting. But modern mobile operating systems prevent this by implementation security features like: password protection, key-chain, storage encryption. Andrey deeply reviewed all the security features implemented by Apple. How encryption is performed, how are managed/stored keys. Lot of interesting stuff for people who are facing issues with iPhones, iPads devices.

Koen Vanderloock came to present: “SIMBA – guarding your applications“. Leader of this OWASP project (“Security Integration Module for Business Applications“), he explained its purpose, the features, the futre and how to implement it within your application. Basically, the goal of SIMBA is to simplify the “User Access Management“. Why reinvent the wheel? (and take risks of bugs, bad-implementation). If you have to manage users, roles, access in your application, please have a look first at SIMBA. All the required information is available on simbasecurity.org.

Ludovic Petit came to speak about the legal aspects of development. His talk, called “Do you … legal?” explained what are the current legal aspect of computer crime in Europe. As a developer (or manger), if you manage data, you are legally responsible of them. Directors can be responsible for offenses committed by their organization simply because they failed to adequately, exercise their duty of care (A legal person must be responsible) and consequences can be enormous:

• Financial
• Reputation
• Prosecution

The OWASP foundation as also a legal project in 2008: The OWASP Secure Software Contract Annex. It could be interesting to have a look at it. Keep also in mind: “Security as a service and … trust as a business“.

During Ludovic’s presentation, I read a good remark by a friend on Twitter:

“#owaspbnl11 legal obligations presentation. But how many companies are prosecuted if they don’t protect datas ? None !“

That’s true! Thierry Zoller presented “The rise of the vulnerability market“. The basic of his talk: constantly monitoring the threat landscape. Targeted attacks are on the rise, hacktivists became very popular. First they are different classes of attackers:

• Opportunists (script kiddies)
• Targeting opportunists (hacktivists)
• Targeted (digital mercenaries)
• State founded (apt, espionage).

Those can be represented like a pyramid (more victims are targeted more the surface attack is reduced)

Thierry also explained very well the standard vulnerability life cycle (discovery ->notification -> disclosure -> patch avail -> patch installed)  and the associated risks (pre-disclosure risks, post-disclosure and post-patch risks). The vulnerability markets also evolved:

• From 95-2004, it was the fun times)
• Mid-2000 commercial (vendors were informed / public disclosure and a patch available)
• Late 2000, the “black market” was created
• Today, vendors are not informed, user are not informed, no patches avail.

There is a huge business today around the vulnerabilities. Companies are selling services (Secunia, VUPEN, ExploitHub). Others sell commercial exploits framework (CoreImpact). The landscape changed completely. Thierry’s concluded that the importance of skill as a factor to measure attacker sophistication decreased. What increased? The motivation, funding and hence sophistication. Just a remark about the latest slides: they were really commercial and din’t have a reason in a conference like OWASP. But this did not change my conclusion about the talk: very good analyze!

Jean-Marc Bost & Sébastien Bischof presented “The limits of eBanking“. eBanking are very complex web applications and, for a while, became also a nice target. Event if banks try to increase the security, Jean-Marc and Sébastien explained how attackers can still steal your money! First, some stats: Trojans are a realty (5% of Windows PC are infected (source: Microsoft) and 25% are affected by trojans (source: Pandalabs). About the timeline of attacks:

• 2006 (Citibank – MitM attack)
• 2007 (Malware in the browser)
• Today: MI (“malware inside“) with malwares like Spy Eye or Zeus.

Modern trojans are very complex and professional. Very difficult to detect. Example given by Jean-Marc: some of them not only inject Firefox but also the Firefox Crash Reporter to prevent disclosure of info to Mozilla! Sébastien performed a live demo which hided the Firefox process and started a rogue Browser. The main problem is, once rogue code injected into the browser, you cannot trust the display. As a conclusion, don’t forget this: WYSIWYS (“What you see is what you sign.“)

Sasha Rommelfangen, working for the CIRCL, talked about “Dynamic malware analysis – or: the ~five deadly (anti-) venoms“. I was a bit afraid while I read the conference program. This will be a presentation with slides full of assembler code. In fact, not at all! Sasha’s presentation was excellent! When you’ve to analyze a malware, they are some essential questions:

• Who’s behind the attack?
• What was the motivation? Usual cyber criminal would like to get money, governments are looking for intelligence/sabotage and hacktivists “for the lulz”
• What does the malware do? Understanding changes on the system, network activity This is a necessary step for removal
• Why should you be concerned? It might compromise servers/data centers!

There are two methods to analyze a malware. First the static analysis. It’s looking at a file and concluding about run-time behavior without running it (memory check, disassemble). What are the limitations? Packers, obfuscated code, encryption etc. The UNIX command ‘strings’ is sometimes a good start (look for interesting words like “shell“, “getf” or “putf“, etc). Dynamic analysis is much more interesting: The goal is to run the malware in a controlled environment. What are the problems? Most malwares have anti-vm checks, anti-debugging, turing’s halting problem. To perform dynamic analyzis, you first have to build your (safe) environment to be able to listen to the network, to fake network services like DNS and to accept/record all traffic on all ports. Sometimes malware are present in Office documents. I learned about a very interesting tool called OfficeMalScanner which finds shell codes in documents and extract them to build executable. Finally, the Microsoft SysInternals tools remain a classic in every analyst’s toolbox.

Last but not least, Lieven Desmet gave some results about his research on “HTML5 security“. Third-party JavaScript is present everywhere (examples: advertisements, gateway to social networks, services tracking) via scripts inclusion or iframe tags (not the same origin policy).  Lieven explained the methodology and scope of the research and of course some results The full report is available here.

That’s all for this edition! What else? There was a CTF organized the second day, the winner received a free ticket for AppSec EU 2012. Write in your agenda right now: The next edition will be held in Belgium in Leuven (KUL) around beginning of December 2012. See you there!