TROOPERS 18 Wrap-Up Day #1

I’m back to Heidelberg (Germany) for my yearly trip to the TROOPERS conference. I really like this event and I’m glad to be able to attend it again (thanks to the crew!). So, here is my wrap-up for the first day. The conference organization remains the same with a good venue. It’s a multiple tracks events. Not easy to manage the schedule because you’re always facing critical choices between two interesting talks scheduled in parallel. As the previous edition, TROOPERS is renowned for its badge! This year, it is a radio receiver that you can use to receive live audio feeds from the different tracks but also some hidden information. Just awesome!

After a short introduction to this edition by Nicki Vonderwell, the main stage was give to Mike Ossmann, the founder of Great Scott Gadgets. The introduction was based on his personal story: “I should not be here, I’m a musician”. Scott is usually better at giving technical talks but,  this time, it was a completely different exercise for him and he did well! Mike tried to open the eyes of the security community about how to share ideas. Indeed the best way to learn new stuff is to explore what you don’t know. Assign time to research and you will find. And, once you found something new, how to share it with the community. According to Mike, it’s time to change how we share ideas. For Mike, “Ideas have value, proportionally to how they are shared…”. Sometimes, ideas are found by mistake or found in parallel by two different researchers. Progress is made by small steps and many people. How to properly use your idea to get some investors coming to you? It takes work to turn an idea into a product! The idea is to abolish patents that prevent many ideas to come to real products. Hackers are good at open source but they lack at writing papers and documentation (compared to academic papers). Really good and inspiring ideas!

Then I remained in the “offensive” track to attend Luca Bongiorni’s (@) presentation: “How to brink HID attacks to the next level”. Let’s start with the conclusion about this talk: “After, you will be more paranoid about USB devices“. What is HID or “Human Interface Devices”  like a mouse, keyboard, game controllers, drawing tablets, etc. Most of the time, no driver is required to use them, they’re whitelisted by DLP tools, not under AV’s scope. What could go wrong? Luca started with a review of the USB attacks landscape. Yes, there are available for a while:

• 1st generation: Teensy (2009) and RubberDucky (2010) (both simple keyboard emulators). The RubberDucky was able to  change the VID/PID to evade filters (to mimic another keyboard type)
• 2nd generation: BadUSB (2014), TurnipSchool (2015)
• 3rd generation: WHID Injector (2017), P4wnP1 (2017)

But, often, the challenge is to entice the victim to plug the USB device into his/her computer. To help them, it’s possible to weaponise cool USB gadgets. Based on social engineering, it’s possible to find what looks interesting to the victim. He likes beer? Just weaponise a USB fridge. There are more chances that he will connect it. Other good candidates are USB plasma balls. The second part of the talk was a review of the cool features and demos of the WHID and P4nwP1. The final idea was to compromise an air-gapped computer. How?

• Entice the user to connect the USB device
• It creates a wireless access point that the attacker can use or connect to an SSID and phone home to a C2 server
• It creates a COM port
• It creates a keyboard
• Powershell payload is injected using the keyboard feature
• Data is sent to the device via the COM port
• Data is exfiltrated to the attacker
• Win!

It’s quite difficult to protect against this kind of attack because people need USB devices! So, never trust USB devices and use USB condom. They are tools like DuckHunt on Windows or USBguard/USBdeath on Linux. Good tip, Microsoft has an event log which reports the connection of a new USB device: 6416.
AliExpress!

For the rest of the day, I switched to the defence & management track. The next presentation was performed by Ivan Pepelnjak: “Real-Life network and security automation“. Ivan is a network architect and a regular speaker at TROOPERS. I like the way he presents his ideas because he always rolls back to the conclusion of the previous talk. This time, he explained that he received some feedback from people who were sceptic about the automation process he explained in 2017. Challenge accepted: he came with a new idea: To create a path for network engineers to help them to implement network automation. Ivan reviewed multiple examples based on real situations. Network engineers contacted him about problems they were facing where no tool was available. If no tool exists, just create yours. It does not need to be complex, sometimes a bunch of scripts can save you hours of a headache! It’s mandatory to find solutions when vendors are not able to provide the right tools. Many examples were provided by Ivan. Most of them based on python & expect scripts. They usually generate text files that are more easy to process, index, are searchable and can be injected into a versioning tool. He started with some simple example like checking the network configuration of thousands of switched (ex: verify they use the right DNS or timezone) up to the complex project to completely automate the deployment of new devices in a data center. Even if the talk was not really a “security” talk, it was excellent and provided many ideas!

After the lunch, Nate Warfield, working at the Microsoft Security Response Center, presented “All your cloud are belong to us – Hunting compromise in Azure“. Azure is a key player amongst the cloud providers. With 1.6M IP addresses facing the Internet, it is normal that many hosts running on it are compromized. But how to find them easily? A regular port scan is not doable, will return too many false positives and will be way too long. Nate explained with many examples, how easy it is to search for bad stuff across a big network. The first example was NoSQL databases. Such kind of services should not be facing the Internet but, guess what, people do! NoSQL databases have been nice targets in the past month (MongoDB, Redis, CouchDB, ElasticSearch, …). At a certain point in time, Azure had 2500 compromized DB’s. How to find them? Use Shodan of course! A good point is that compromized databases have common names, so it’s convenient to use them as IOCs. Shodan can export results in JSON, easily parsable. The next example was only one week old: the Exim RCE (CVE-2018-6789). 1221 vulnerable hosts were found in 5 mins again thank to Shodan and some scripting. And more examples were given like MQTT and WannaCry or default passwords. The next part of the presentation focused on 3rd party images that can be used by anybody to spawn a VM in a minute. Keep in mind that, in the IaaS (“Infrastructure as a Service“), your security is your responsibility. Other features that can be abused are “Express Route” or “Direct Connect”. Those feature act basically as a VPN and allow your LAN to connect transparently to your Azure resources. That’s nice but… some people don’t know which IP address allow and… they allow the complete Azure IP space to connect to their LAN!? Another threat with 3rd party images: most of them are outdated (more than a few months old). When you use them, they are lacking the latest security patches. A best practice is to deploy them, patch them and review security settings! A very interesting and entertaining talk! Probably the best of the day for me.

The next talk was presented by Mara Tam: “No royal roads: Advanced Analysis for Advances Threats“. Mara is also a recurring speaker at TROOPERS. Small deception, based on the title, I expected something more technical about threat analysis. But it was interesting, Mara’s knowledge about nation-states attacks is really deep and she gave interesting tips. I like the following facts: “All offensive problems are technical problems and all defensive problems are political problems” or this one: “Attribution is hard, and binary analysis is not enough“. So true!

After a break, Birk Kauer and Flo Grunow, both working for ERNW, presented the result of their research: “Security appliances internals“. This talk was scheduled in the defensive track because takeaways and recommendations have been given. As says Wikipedia: the term “appliance” is coming from “home appliance” which are usually closed and sealed. Really? Appliances are critical components of the infrastructure because they are connected to the core network, they handle sensitive data and perform security operations. So we should expect a high-security level. Helas, there are two main threats with an appliance:

• The time to market (vendors must react faster than competitors)
• Complexity (they are more and more complex and, therefore, difficult to maintain)

An appliance can be classified into two type:

• Vendor class 1: They do everything on their own (with no or little external dependencies). The best example is the Bluecoat SGOS which has its own custom filesystem and bootloader.
• Vendor class 2: They integrate 3rd party software (just integration)

They are pro & con for both models (like keeping full control, smaller surface attack but people difficult to hire, harder maintenance, easy patching, etc). Then some old vulnerabilities were given to prove that even big players can be at risk. Examples were based on previous FireEye or PaloAlto appliances. The next part of the talk focused on new vulnerabilities that affected CheckPoint firewalls. One of them was affecting SquirrelMail used in some Checkpoint products. The vulnerability was solved by CheckPoint but the original product SquirrelMail is still unpatched today. Despite multiple attempts to contact the developers (since May 2017!), they decided to go to a full disclosure. The next example was targeting SIEM appliance and NXlog. The conclusion to the talk was a series of recommendations and question to ask to challenge your vendors:

• How do they handle disclosure, security community? (A no answer is an answer…)
• Do they train staff?
• Do they implement features?
• Do they use 3rd party code?
• Average time to patch?
• What about the cloud?

The day ended with a set of lightning talks (20-mins each). The first one was presented by Bryan K who explained why the layer 8 is often weaponized. For years, security people consider users are dumb, idiots that make always mistakes… He reviewed simple human tricks that simply… work! Like USB sticks, Indicators of Bullshit (money), fear (Your account will be deleted) or urgency (Do it now!).

The next lightning talk was presented by Jasper Bongertz: “Verifying network IOCs hits in millions of packets“. In his daily job, Jasper must often analyze gigabytes of PCAP files for specific events. Usually, an IDS alert match on a single packet. Example: a website returns a 403 error. That’ nice but how to know from which HTTP request this error is coming? We need to inspect the complete flow. To help him, Jasper presented the tool he developed. Basically, it takes IDS alerts, a bunch of PCAP files and extracts relevant packets to specific directories related to the IDS alerts. Easy to spot the issue. New PCAPs are saved in the PCAPng format with comments to easily find the interesting packets. The tool is called TraceWrangler. Really nice tool to keep in your toolbox!

Finally, Daniel Underhay presented his framework to easily clone RFID cards: Walrus. Based on red team engagements, it’s often mandatory to try to clone an employee’s access card to access some facilities. They are plenty of tools to achieve this but there was a lack of a unique tool that could handler multiple readers and store cloned cards in a unique database. This is the goal of Walrus. The tool could be used by a 3+ years old kid! The project is available here.

As usual, the day ended with the social event and a nice dinner where new as well as old friends were met! See you tomorrow for the second wrap-up. Nice talks are on the schedule!