I’m just back from Amsterdam where was organized the 5th edition of the OWASP Benelux Day. This was already my third visit to this event and I finished my Benelux Tour: Luxembourg in 2011, Belgium in 2012 and the Netherlands this year. The location was very nice, the Amsterdam RAI is a ver nice location for events but also expensive: The event was reduced to a single day (no training) and there was no WiFi for the attendees. But who cares? After all, we attend conferences to listen to speakers and not to surf the web…
As usual, Seba opened the event with the classic OWASP updates. He gave some feedback about AppSec USA (which occurred last week). If you’re interested, a Youtube channel is available with all the talks (43!) . A new guide is available: “Application Security Guide for CISO’sâ€. It explains the reasons for investigating into application security, how to manage application security and metrics. The AppSec Newsfeed is back and the podcast (managed by Jim Manico) is still alive. As you can see, they are plenty of interesting sources of information.
The keynote was presented by Jan Joris Vereijken, Chief Security Architect for ING. The topic was computer fraud. For Jan Joris, fighting against fraud is very difficult and can’t be stopped. His approach is to make fraud not profitable. To achieve this, we have to jump into the fraudster’s mind. Think about authentication: for years, banks improved the way users authenticate, using tokens, etc. But, this does not protect them against fraud, it is a fail! A nice example was demonstrated with real screenshots of an infected customer. The malware inject HTML code in the page and display a new rogue income. Then, the fraudster call the victim and ask him to refund the money (“Sorry, it was a mistake“). Results: the customer send HIS money to the fraudster! Pwn3d!
The job of Jan Joris is to implement detection mechanism to prevent this. This can be performed at multiple levels: customer devices, fraudster watch, network layer, application layer or transaction domain. To achieve this, correlation might help. Think about a long to the eBanking website from Nigeria. This looks clearly suspicious. But if the customer used an local ATM in Nigeria and them connects to the website, this is a normal behavior! For Jan Joris, a better authentication will be: let the customer enter and tell me what you want to do! Not sure that regulators will like this…
Then he explained a difficult step in the fraud process: recruiting mules. Infecting computers is much more easy then finding good mules. Why is the fraud ratio so low? Because fraudster are lacking of mules to transfer the money. Fraud in banks follows a cycle: when a bank implements a new security control, fraudsters move to the next bank until they also increase their security, etc… And mules cannot be used across multiple bank (as well as countries). Note than a ransomware is a nice way to get money without the help of a mule. The money is sent directly to the fraudster.
And what about big corporations? Why are they less targeted? In fact they use the same technology as people to transfer money but the difference is on the amount of money authorized in transfer. For a customer like us, it’s 50K/day. For a big company like Shell, it’s 10M/day! The problem is to find mules (again). Who will access a transfer of x millions $? Note that Bitcoins are on the list of potential threats for banks (they can also replace the mule). Finally, Jan Joris explained why ING pushes more and more customers to use mobile applications for their bank operations. In fact, it is much more safer! Why? Developing a malware for an app will require a lot of investment (time/money) and will work only for one app. Once the problem fixed by the bank, the investment is lost. This keynote was very good with relevant information from the banks landscape.
The first regular speaker was Tom Van Goethem with a presentation about the well-known CMS WordPress: “Remote code execution in WordPressâ€. With 60M of websites, WordPress is definitively a nice target for researchers. Some stats: In 2004: 435 CVEs were published, and only 16 in 2013. Tom’s research has been released under CVE-2013-4338. It’s important to remember that most vulnerabilities are introduced by plugins. They are thousands of plugins available for WordPress, be always careful when choosing yours!
The vulnerability has been introduced by a combination of a PHP object injection via unserialize() and the support of UTF-8 by MySQL. Tom explained why in details. First, PHP recommends to never pass user input to the function unserialize(). But due to a bad support for UTF-8 in MySQL, it is possible to trigger this function. MySQL support UTF-8 but it uses only the three first bytes of a character. What happens with the 4th byte? To handle it properly, tables must be created with the ‘utf8mb4’. This is no documented by MySQL! The vulnerability in WordPress is based on the fact that user-meta data can be serialised. (first name, last name, contact info) stored in wp_usermeta (default character set: utf8). When stored in db, serialised and retrieved from db, it is unserialised(). Tom’s explained step by step how it wrote a payload to trigger this issue and execute remote code. More information is available on Tom’s blog.
The next talk was also about a famous CMS: SharePoint, developed by Microsoft. Jan Phillip and Alexios Fakos (both from n.runs) reviewed interesting information about SharePoint security. Many companies use it but deploy it in the wrong way… read in a unsafe way! SharePoint does everything (as says the vendor). Its goal is to share data quickly. So, when you are in front of a SharePoint instance during a network assessment or pentest, how to deal with it? This was the talk goal. First, the security model used by SharePoint was reviewed. It is based on objects (the central administration site, the web/service applications, sites collections, sides and site components). Separation of duties is available. Normally SharePoint is used to be an internal application but more and more, they are facing the Internet. Most instances are deployed with the standard wizard and this introduces security issues:
- The SharePoint designer is enabled (like “Frontpage)
- Legacy protocols are enabled (CGI, ISAPI, etc)
- Standard search & crawl are enabled
An interesting extension is Datapump which allow to pass Kerberos users credentials directly to the back-end database. This can result in DoS of Datapump and the backend SQL DB. End users can pass different credentials. Interesting talks if you need to assess SharePoint servers.
After a short lunch break, the second keynote speaker was the retired General Dick Berlijn, now working for Deloitte: “Cyber Security: What’s next?â€. This was not a technical keynote but more about the context of cyber security. Two essential elements for a working society: security & trust. For him, the definition of “cyber” includes:
- All around
- Affects everything
- Energy, transport, infrastructure, banks; education, defence, media. Cyber security is about:
- Vulnerability of and threats to networks and data
- Our economic safety
- Our national security / safety
What about the future, imagine yourself at home at 9AM preparing a meeting. Your mobile knows that your meeting is at 10AM and calls your driverless car. The cad select the best route based on traffic jams. During the drive, you continue to work via WiFi. This is the concept of Smart-“everythingâ€. But we must take security into account to make them available when we need it.
Comparison was made between the climate change and cyber security: if one country does its best to reduce the climate changes but other countries don’t, it will also suffer from the climate. Where are the responsibilities? They are different types of actors: Global – Regional – National – Organizational – Individuals. Another comparison with highways: they are safe because everybody at all levels follow rules and use them safely. It’s to think about the same responsibilities for cyber security. This cannot be solved with technical solutions.
The bottom line:
- Preventive measures remain important
- Monitoring & detection capabilities are essential
- Incident response will be crucial
Migchiel de Jong, from HP Fortify, presented a talk about code review. Doing this manually is useless, just because our brain is not design for such purpose. some facts today:
- One small coding error can have a big effect on security
- Typical software development practice don’t address the problem
- As a group, developers tend to make the same mistakes
- Static analysis can help to identify common security errors early
To make good code analysis, we need to know the requirements of the application. Specifications must be known. Spec + code + automatic tool = proof? failed! because one of the 3 components may have errors or bugs! Then Migchiel explained how to improve the process of code review and what will be its future. I was less attracted by this talk.
Nick Nikiforakis was the next speaker with “Everything you always wanted to know about web-based device fingerprinting (but ware afraid to ask)â€. He introduced his talk with an example of third-party content delivery via cookies. Do you have experience with third party tracking? Today’s users know what cookies are and control them, browsers have safe mode or add-ons to manage cookies. Some extensions like Lightbeam try to reveal trackers. But some companies really want to track users, how to achieve this without cookies? To achieve this, they are two conditions to meet: It must be difficult to detect and hard to avoid it/opt out. In 2010, Eckersley demonstrated that a browser can be fingerprinted: How? Browser flavor, screen resolution, JavaScript, timezone, list of plugins, fonts and super-cookies. Do you know that 94.2% of the users with Flash/JAVA plugins can be identified? This is a very effective method to track users because we can’t delete what we are. And It can be used for fraud detection or paywall! In 2012, it was already know that fingerprint was possible. Questions are : who’re the companies providing such services? They are mainly three competitors: BlueCava, TrheatMatric and ovation. Nick demonstrated how to detect the presence of fonts without needed plugins. Native fingerprinting plugins can access some highly specific registry values (like casino or game apps). Effective proxy detection can also be implemented (by using multiple requests from JS and SWF). Nick performed some stats on the Internet and 40 sites mainly porn & dating. Skype.com was the highest ranking. How to see the difference between a fingerprinting service from a regular webstats service? If it checks for fonts! Finally, how to react as a user? Browser extensions that change the User-Agent but not the browser name/type: You could be more tracked! Think about an iPhone with a desktop resolution?  To conclude, fingerprinting is a real problem. Browsers are so complex that it’s impossible to make them identical. Current browsers extensions must not be used for privacy reasons. What about a legal aspect? Like prevent IP tracking?
After a coffee break, Jerome Nokin presented his research about AV’s: “Turning Your Managed AV… into my Botnetâ€. Why AV in an OWASP event? Because managed AV solutions use central servers to communicate with clients and they use our classic protocols. The talk was not a technical description about how they did the vulnerability (Jerome will release a paper soon) but how they do use it. The targets were: McAfee ePO and Symantec Endpoint Protection. Today, Jerome focused on McAfee for time reasons. He explained how a classic infrastructure is build and what are the protocols used between the different elements (agents & servers). Communications are based on HTTP requests and multiple vulnerabilities were found:
- First vulnerability in the XML content: SQL injection (CVE-2013-0140).
- Directory traversal (CVE-2013-0141)
- Post-Authenticated vulnerabilities (impersonating an agent)
What about the registration request? To register your own agent! Jerome demonstrated that the way 3DES is implement is… a big fail. The key is obfuscated in the binary and is the same for all version, all sites! Based on those findings, how to perform remote code execution? let’s play:
- Method 1: SQLi / xp_cmdshell (possible but not with SYSTEM privileges)
- Method 2: Reuse ePO feature: Registered executable to be used as an automatic response with “event requests†and this time with system privs
So, the scenario is:
- Register
- DB access
- Upload files
- Remote code exec
- Download files (Just an Apache server)
How to own the workstations? Let’s create a rogue package by updating catalog.z on the ePo server. Those are also encrypted with 3DES and we know the key. Have a look at the video demo! Jerome did also an Internet survey. What are the results? Some people expose their server on the Internet! They can be detected by the SSL cert. Results: 1701 servers found and 50% were vulnerable (11 in Amsterdam btw)
Conclusions: security issues exist in security products, even mature ones! They are hidden by complex protocols or structures. Do not under-estimate a single vulnerability Do not rely on CVE score only! More information on Jerome’s blog.
Last call was performed by Victor van der Veen  about the tool he developed: Tracedroid.Victor started with a review of the mobile malware landscape. Some numbers:
- 03/2012 : 38K piece of malwares detected
- 03/2013 : 276K
- +614% in one your and Android is the target for 92% of them!
The idea of the project was to trace apps in an emulated environment to monitor its behavior. Tracedroid is a modified Android OS for method tracing. Framework for dynamic analysis, detect suspicious act and easy post analyze. The scope was limited to the tracing of Java code because interesting features are only accessible via Java! Applications are written in Java and have building blocks like receivers (ex: notify the reception of a SMS) and are distributed as .apk files. There are other project like Droidbox which injects trace methods into bytecode, problem it breaks the app signature (easy detected by a malware). Another version inject tracing code to core libraries. only a small subset of API support and only Andtroid 2.1. Android profile is a method tracer for developers. Drodscope uses VMI to reconstruct instructions, it is bound to an emulator (not free).
Tracedroid: (it extends the Androi’s profile implementation)
- hooks on method invocations
- hooks on method returns
What is important during an analyze is the stimulation phase (to be sure to trigger some app functions). This is achieved with:
- A reboot
- Generate an incoming sms
- Generate a phone call
- …
The project includes also a post processing phase:
- Extract features (search traces for suspicious activity, this can catch 93-96% of malwares)
- Code coverage computation (map statically found methods against trace output)
The inspection tool quickly analyse >100K lines of trace output? Using python scripts (interactive shell + graphics module). A nice demo was performed, I liked especially the de-obfuscation of an URL…  Note that you can also submit your own .apk files and you will get a tar.gz file with the result via an online service: tracedroid.few.vu.nl
And we already reached the end of the day! I’d like to thank WhiteHat Security for the Kindle Fire! Please don’t abuse my business card! 😉 See you next year in Luxembourg!
RT @xme: [/dev/random] OWASP Benelux Day 2013 Wrap-Up http://t.co/guFp6gbFHl #owaspbnl13
@xme punctual as ever..