I’m back in Amsterdam for the third time to attend the Hack in the Box security conference! Thanks to the organizers, I received again a press pass to cover the event. Thanks to them! So, here is my wrap-up of the first day. This year, I was also present as a speaker for SIGINT. SIGINT is a bunch of “small talks between the talks” where people are free to present their research, their tool in a limited time window. After a safe travel from Belgium and the classic registration procedure, it was time for a small breakfast before the start of the busy day.
The opening keynote was presented by Andy Elis, CEO of Akamai. The keynote title was “Staying ahead of the Security poverty line“. He started with a fact: To measure the quality of your security, just count the number of phone calls you receive outside the business hours! But what’s the security poverty line? Another fact: Organizations don’t have enough resources to implement perceived basic security needs. The syndrome of security subsystems is “I can’t even do the barest minimum to cover my ass. So I’d better not do anything but cover my ass“. Then accruing Technical Debt: With every step forward, the undone work increases risks and makes future steps harder.
The value of your security can be computed with the following formula:
Value = Resources x capabilities"
Where:
resources = time + money capabilities = skill x effort x effectiveness
Keep in mind: Nobody is going to implement perfect security. This means you have no risk but doing business is taking risks! Another reference is the Peltzman effect: What your organization thinks it can get away with… If you take away risks, you’ll take more risks. Andy gave a nice example with the NASCAR races in the United States. Very popular and safe but pilots take more and more risks!
The security value and perceived risks should be in balance. Security is an habit to remove risks. What are the perceived risks vs actual risks?
Another fact: Don’t beg for money! Based on security news, people decides to spend money for security solutions! Example: Wikipedia got DDoS, we need an anti-DDoS protection. Hackers break a website, we need a WAF! That’s not the best way to implement security.
What about security awareness? The problem: auditors believe that if we just train people, we’ll get rid of problems. That’s bad. The solution is to perform simple security awareness training, web-based and automated. Don’t blame people for being pwn3d, let them share their experience! Andy’s slides are available here.
Then the real talk started. The first one was about performing Android forensic: “Turning Android inside out” by Ivo Pooters. The idea of the talk was: Can an Android phone be used to investigate a man’s death (is it a suicide?) or to investigate a data breach? Those examples were not real cases but were part of the DFRWS Forensics Challenges 2011. First step: How to perform the data acquisition? Useful data are present on memory cards (easy to read) or in the internal storage (NAND flash) with multiple partitions like /data & /cache. To make a copy of the internal flash, common tools remains useful:
# dd if=/dev/block/mtdblockX of=/sdcard/mtdblockX.img
What about the tools? There exists specific forensic tools like enCase, FTK (“Forensic Tool Kit“), Photorestore. Android uses the YAFFS2 file system (“Yet Another Flash File System version 2“). How to read such file system? Via forensic toolkits (Cellebrite UFED), via the Android emulator or load the YAFFS2 support into the Linux kernel:
Once the file system mounted, use your regular tools to find for relevant information (IP addresses, names, file names, …)
Two types of analysis can be performed:
- Live analysis: Using an Android emulator + ADB, Wireshark, Dalvik debug monitor and logcat
- Statis analysis: Retrieve the APK’s, use APT-tool to convert AndroidManifest to clear text XML. Convert dex (Dalvik VM) to regular Jar (dex2jar). Decompile using jd-gui or another java decompiler.
Then Ivo wend deeper about the YAFFS2 and explained a technique to retrieve content when the file system is corrupted. Normally, on classic file systems, even if they are damaged, it’s possible to get files back by using file carving techniques (Note that the new Android devices do not use YAFFS2 anymore but they are a lot our there). Nice presentation which proves that our preferred toys contain a lot of personal details which can be almost always retrieved using the right tools and techniques.
The next presentation was about automatic malware analysis using Cuckoo by Claudio Guarnieri. I was waiting for this presentation because I’m currently playing with commercial solutions to analyze malware and I’d like to compare them with an open source one. What are the problems with malware analysis? There are way too many pieces of malwares. Manual analysis is simple impossible. Static analysis requires strong skill sets! So sandboxes are the best solution?
- Pro: Automatic, process lot of work, usable by anyone, get the code executed
- Cons: Commercial solutions are expensive! Some portions of the code cannot be executed, VM’s could be detected and it’s difficult to successfully automate the exploit analysis. Finally, without proper consumptions of the results, it’s useless.
The preparation is mandatory to define requirements and expectations, the environment must be properly designed for data and integration with other systems or storage solutions. Some questions to ask to yourself:
- Why do you need a sandbox?
- What do you expect to achieve?
- What information is most relevant to you?
- Who will use the results?
- Which types? (PDF, browser exploits, Microsoft Office document, PHP/Perl scripts)
In most cases, Cuckoo can provide an answer to those questions. It can analyze lot of stuff, can be customized and integrated with other frameworks. It generates Win32 call traces, dropped lines, screenshots, network traffic dump and reports. It is based on three components: Scheduler -> Analyzer -> Reporter.
 Claudio performed several demos of Cuckoo analyzing different types of malwares.
- Live Cuckoo Demo
It looks to be very reliable and I recommend you to test it (who never received a mail with a suspicious attachment?). If you don’t have time to play or resources to run your own instance of Cuckoo, why not have a look at: malwr.com. This website is a front-end for Cuckoo and work like virustotal.com. You submit your files and they are analyzed. Claudio and his team made a great job. This tool is definitively on my todo-list! Note that the current version only supports Windows VM’s but they are working on MacOSX and Linux versions.
During the lunch break, I presented my tool pastemon.pl and the associated website leakedin.com. This is the second time that I present it (first time was during BlackHat in March) and I received positive comments about it. It seems that people are interested in the pastebin.com content. The session was well organized and I was very happy to see many people take time to listen to me. Thanks to all of them!
After the lunch, I attended the presentation called “Whistling over the wire…” by Arnauld Mascret. Behind this title, Arnault explained how to find interesting information from open sources (OSINT) and how to create new tools to perform the intelligence phase? He explained from A to Z how an attack can be conducted against a victim using mainly the social network Twitter and an URL shortener service. Is it possible to perform stealth targeted attacks? Yes, the main idea is to use your own (rogue) short URL service and promote it on Twitter to attract your victim to use it.
The different steps were deeply explained one by one up the live demo of the victim’s compromised computer. Conclusions for this talk: The risk is low. You need other vulnerabilities but all the tools are available and it works! Question from audience: How long does it take to realize this kind of attack? Arnault’s answer: “It depends on the victim but a few weeks at least!“. This proves that attackers have plenty of time to conduct their attacks! (compared to limited scope assigned to pentesters).
The next presentation was about digital satellite television. Adam Gowdiak gave a deep overview of the security threats in this domain. Let’s be clear: modern Set-Top-Boxes are complete computers and became more and more complex. They are online and users don’t have a clue about the risks (“Hey, it’s just television after all!“). Most of them runs on Linux with a Java VM for applications. I learned that Java Applications (Xlets) can be broadcasted in MPEG streams! Even if Set-Top-Boxes have good security mechanisms (Embedded SSL Certificates, HTTPS scheme only, chroot sandbox, IP tables, no listening TCP ports, statically linked binaries, custom JAVA file system, binary code obfuscation, etc), Adam demonstrated that they are also vulnerable.
How to get device access? Adam explained all the steps to fully pwn the box starting with a Java script injection via a rogue photos album name. He successfully executed code, accessed the file system and memory and leaked file descriptors (/dev/kmem, /dev/mtd0). A demo was the capture of some streams outside of the box. Nice talk but less interesting for me. In parallel to this one, a talk about SAP (again!) was held. To conclude his presentation, Adam expressed his curiosity about the new connected television. For sure, they are also vulnerable to similar attacks.
The last talk of this day: “Windows shopping, Browser bug hunting in 2012” by Roberto Liverani and Scott Bell. Why Browsers? Because they are everywhere and nice targets with all their extensions! This talk could be called “The browsers wall of shame!“. Roberto reviewed in details several attacks on different browsers:
- Firefox Use After Free < 11
- Maxthon – XCS and SOP Bypass
- Avant Browser XCS & SOP Bypass
- Firefox, patched in 3.6.14
- Opera Use-After-Free
- Firefox/Opera – XCS
I won’t give details about the exploits here, they are fully reviewed and explained in Roberto’s slides. Just some conclusions:
- Disclosure fail! (Opera this one is for you!)
- Bug complexity vs impact (injection bugs are simple but impact can be significant)
- Delegated security (presenting browsers as secure as IE or Chrome give false sense of security to end-users)
Last but not least, Rop Gonggrijp – a well-known Dutch Hacker & Activist – presented the closing keynote. He came in emergency to replace the scheduled speaker. Rob is a great speaker. What did he say? The repression is there! (instead of fixing the security issues) Governments dreamed of controlling us. It’s done! Are you aware of the printers yellow dots? They want total surveillance but “If cyber-crime increases by a factor of 10, can it be stopped by surveillance?” asked Rop. Data centralization is already over, we are now decentralizing everything (in the cloud). We continuously update our profiles online (linked in, twitter, etc). If you are living in Europe, you already uploading your data to a power block you don’t control. Is working for a national security agency safer than for a Romanian cyber-crime cartel? How to make the world a better place, safer? Selling security problems to nations is not responsible disclosure!
This closes the first day! Note that all presentations are made available online a few minutes after each talk. You find them here. Tomorrow, I’ll write the second wrap-up. If you need to follow real-time reactions, don’t hesitate to follow me on Twitter (@xme) or friends like @corelanc0der or @seccubus who are also covering the event. Tomorrow will be for sure the “Apple Day” 🙂