HITB Amsterdam 2013 Day #2 Wrap-Up

And we are back for a second day full of fun and pwnage! It was a rainy day on Amsterdam today but water will not prevent hackers to meet again! I joined the hotel for the breakfast in time.

The keynote to open the second day was presented by Bob Lord, Director of Information Security at Twitter. The title was “Rethinking the front lines” or hacking the enterprise, social engineering your company’s culture. Bob started with a joke about a man looking for his keyson the street to introduce the streetlight effect. With his keynote, he explained how security is improved at Twitter on a daily basis (from an employee point of view).

We spend a lot of time (read: too much) to search for tools to better protect us: “Do I need an IDS?” or “How to protect me against this?” are common questions but is it a right way of working? What are the common problems? Some examples:

• Lost laptops
• Bad passwords
• Password reuse
• We tend to focus on glamorous attacks

We’re so tools focused, we forget the humans! Infosec pros have given up. There is always a debate about security via articles, round tables, etc. For Bob, a fact is that the industry ($VENDORS) is spending time talking about tools, technologies and not real problems. Security awareness trainings are interesting but only if they give correct tips. Bob gave another example with a friend explaining how he learned to pick up a “good” password in a training: pick up a dictionary work and replace ‘a’ with ‘@’, ‘l’ with ‘1’ etc… No comment! Security awareness trainings are imperfect. An informal training is better. There are needs for a culture of security instead of training them. Small changes may have a big impact on security. What about our habits? If we do our job right, users will be correctly protected. The Twitter’s culture is:

• There are more new people than old people
• Keeping the good stuff
• Twitter core values
  • Grow our business in a way that makes up proud
  • Innovate through experimentation

Try to build a culture based on “Yes… If…“. and be rigorous!  Than Bob explained how to make a good training. Select the right people (ex: new hires) and performs the training itself. Don’t forget to explain why it’s important and take time to measure the value. Note that the password problem is the same for information secuity professionals too. What about password managers? You have to know what do users really do. Are they trained to use it? It’s not just a copy/paste tool. Having a phishing strategy inside your organisation is a good idea. Phish, wait, re-phish and hope the number of victims gets smaller. Interesting fact: there are gender differences in phishing campaigns. Implement some kind of SALC “Security Awareness Life Cycle“. Talk to your users, best place is open spaces like cafeteria. Ask “dump” questions and listen. Can be interesting. People hired by Twitter must use the password vault. The usage of password vault is not easy and new users have to survive critical weeks but once over, they adopted it. The fact that Twitter is a “IT” organisation explains why the password vault has been adopted by users. I doubt about the same result in a classic company (non IT).

The fist talk in my schedule was “How I met your modem?” presented by Peter Geissler and Steven Ketelaar. DSL devices are common in all homes today. Are they really secure? It started with an overview of the devices.

First, they are regular computers: They can execute code! The modem used in the presentation was the Zyxel P-2601HN-F1 (a very common one). Its basic features are routing DSL traffic, NAT, VoIP and firewall. Management is performed thought HTTP, SSH (telnet). Command line access is provided via ZyShell, a limited shell that allow to control modem specific features. The HTTP interface is very user-friendly interface. You can “see” your network topology. A ping.cgi is available as diagnostic tool. By using a simple “;”, it was possible to perform command injections as… root! The speakers created a simple exploit to enter command via the ping.cgi. Hugly but it worked! Netcat was available on the router. Don’t ask why! The next step was to evade the restricted shell by replacing the passed and shadow files to be able to log in as root. Locale vulnerabilities are cool but remote access is better! The speakers focussed their research on the TCP port 7676. This one is reserved for TR-069 connection request port. The CWMP protocol is used for provisioning and configuration deployment. On the Zyxel, this post is available to anybody but HTTP authentication is required (password unique per device). They explained step by step how they find interesting URLs available and how to abuse them. To achieve this, they install the required tools to run a debugger on the modem (using buildroot). They found a buffer overflow and wrote an exploit. After a detailed review of how to manage ROP on a MIPS infrastructure, they performed a demo and got… a root shell! Port 7676 was available to anybody. They contacted the KPN CERT. They rolled out a new firmware. Everybody was happy!  But can more be achieved? Like HTTP snooping or voice call eavesdropping? VoIPong was not directly suitable but could be adapted. A very nice live demo was performed. The audio quality was enough to understand the conversation and get the secret code! 😉 Conclusion: the modem is running Linux so tons or more “fun” is possible (IPtables, Botnet, DDoS, expensive outbound calls, etc). Kudos to KPN who was present in the room and thanked the speaker with a nice t-shirt for their research! Keep in mind: “A different architecture or obscure software won’t stop a real hacker”. A cool talk to start the day which prove again that any device can be hacked.

The next talk followed immediately with some fun about electric cars. “Who Can Hack a Plug? The Infosec Risks of Charging Electric Cars” by Ofer Shezaf. HITB is a great place for this talk because Amsterdam has a good infrastructure to electric cars. If you walk thought the city, it’s easy to find public charging stations. A station for electric cars do not only charge but “smart” charge. It’s not just a plug in the wall. There is no plugs on streets and even, who will pay for them? Not everybody could charge his car at the same time! Green energy is not available all the time (rain on Amsterdam today means no solar power). Charging an electric cars depends on many parameters. Computers are used to manage them and computers… can be pwn3d!

They are different models of charging stations. Such stations is “a computer on the street“. Most of them are running Linux. They have LCD screens, RFID, GSM/WiFi (communication modules) but also electrical components. In fact it’s even more, it’s a network on the street. They are connected to a central management system. What are the vulnerabilities?

• Physical access. Remember that those devices are publicly available on the street.
• Short range communications (RS-485). Used to connect all charge stations, based on Modbus (via one cable).
• RFID

What are the protocols used in charging stations? There are communications between the station and the central management but also between the station and the car. Web and mobile controls are implemented to help customers with regular tasks. The human factor: maintenance!  Open the box, place a DIP switch to configuration mode, connect a cross cable, open your browser and point it to 192.168.2.2 (for en EVSE controller). Denial of charging/power service? Imagine no electric car can charge for one day when they are 30% of the national fleet. Like yesterday, this is scenario like Die Hard 4. At this moment, the risks remain low but what will happen when electric cars become a reality?

After the lunch break, we started again with three speakers (Andrew Petukhov, George Noseevich and Dennis Gamayunov) who presented a hot topic: “You Can be Anything You Wants to Be: Breaking Through Certified Crypto in Banking App“. An RBS (“Remote Banking System“) uses crypto for non-repudiation, to authenticate and add protocol security. It complies with the Russian Central Bank regulations and seems (!) to be unbreakable. They successfully bypassed the non-repudiation process, bypassed the second authentication layer and were allowed to login with any valid user. But they didn’t break the crypto. How? It started with a pentest request from a bank. Some classic web vulnerabilities were found.

They reversed the client software. The protocol used was customer (read: no doc available). This could require a lot of time to debug this stuff. The client used shared libraries for crypto operations. They defined hooks on the library API calls and were able to read what was normally encrypted. After explaining how to bypass the crypto stuff, they performed a live demo. The demo has a poor quality: lot of details were obfuscated due to NDA and the rest was in Russian… Often, there is one talk that leaves me with a strange feeling. Today, it was this one.

Then, a second talk about cameras was scheduled (see my yesterday wrap-up) but this time the target was surveillance cameras. Sergey Shekyan and Artem Harutyungan presented “To watch or Be Watched: Turning Your Surveillance Camera Against You“.

How to remotely access surveillance cameras? The first step was to find the right cameras to focus on. How? Just check out Google and count the number of returned hits. Usually, cameras stream live, use FTP servers, send emails but can also contain interesting data like MSN credentials. The model of their choice was the Foscam F18910W. It runs uCLinux and the board support package is available from the board vendor (always good). Software components are:

• The system
• The web UI
• The settings

All communications with the camera is performed in plain-text, as usual I should say. After the review of the core features, the speakers explained some vulnerabilities found:

• Authentication bypass / privilege escalation. It was easy to get a dump of the memory by sending a specific HTTP request. (CVE-2013-2560)
• CRSF

By dumping the camera memory, if was possible to get the admin password. The next step was how to find cameras? Shodan is your best friend. What can we do once owned? It’s just a Linux box online on the Internet. The sky’s the limit (grab video stream, host data and malwares, setup a bot, attack the victim’s browser (think about BeEF). Some numbers: 83K HTTP cameras were found in the wild and the top countries were: USA (16K), Germany (15K) and France (13K).

Funny, in stores, cameras are sold as “security devices“. DDNS can help too to find cams. Most vendors offer DDNS services like:

• xx#####.foscam.org
• xxxx.ipcam.hk
• x####.aipcam.com
• ####xxxx.nwsvrl.com
• x#####.myipcamera.com

Some stats for myfoscam.org:

The presentation ended with some demos: Create a backdoor, add a user on the camera, add hook to victim’s browser and host a proxy on the camera. Nice idea to host a proxy on the cam! If it detects a proxy req (CONNECT), it forwards otherwise,  displays the regular WebUI Good talk in general.

My last choice was “Terminal Cornucopia” by Evan Booth, the only speaker wearing a tie ;-). Evan’s research was about items that are sold in airports can be used to build dangerous stuff.

Everybody knows that airport security is important. The scope was to use only stuff that can be bought after the security checks. The basic attack vectors were: injure people, create panic and confusion, damage the aircraft. Inspiration came from the Mythbusters or McGiver, those guys are building anything with a few stuff. Evan showed demonstration video of many self-made weapons. The second phase was to create a self-burning suitcase. The talk was really amazing. There were too many examples to describe here, I suggest you to have a look at the slides. The best talk of this conf.

For the last keynote, the floor was to Winn Schwartau with “The History of the Future of Infosec“. Winn is a showman with many years of experience in information security. For years we use the same technologies but they still don’t work properly.

We need to rethink this! Different security domains are scaring:

• The humans
  • Ignorance (apathy & arrogance)
  • Dirty 4-letter words in infosec? “user” and  “root”
  • There is a failure to profile insiders (this is prohibited by laws in most countries)
  • Lawyers are a pain! Why is it so difficult to fire somebody who make a mistake?
  • Same for cyber-weapons, we can’t defend by ourself
• Technical stuff
  • $VENDORS bother Winn 🙂
  • The weaponisation of the Internet is a fact. Any technology created by humans can be used as a weapon.
  • “Fortress mentality” is bad: Do you want a bad guy in your chocolate shop? Why not, if he buys some. Behaviour is a key!
  • Complexification: users receive too complicated tools or interfaces
  • Binary degradation is epic fail. No fall-back in most organisations. If the network is down, the business is down. Pen & papers could still be useful tools.
  • Cloudbursts
  • Mobile devices and Internet of things
  • Sandboxing and containers is good but all stuff is stored on the same device. What if the device died?
  • Future fear! No more privacy at all?

Capability, intent and will are three key components for success. The future will bring many new technologies and we don”t have any clue how they will work. Winn was an amazing keynote speaker… Nice slides, examples and stories. 

It’s already over, the conference ended with the classic closing ceremony with the whole team. Thank you guys for accepting me as media, for the professionalism, the content of the conference and the relaxed atmosphere! See you in 2014!