Archive for January 2012
We regard Shmoo(Con) as one of the most important community events at all and it allows us to meet fellow researchers from the US who we can’t easily sit down with to chat very often.
And some lucky guys from ERNW will even continue the trip to head to San Diego (!) for NANOG and NDSS. Not to mention they stay in some fancy beach resort ;-), while I myself fly back today. (Getting older I don’t enjoy staying away from home for a week anymore and I have been missing my kids since some days…)
So what can I report to good ole Germany?
On Friday, Peter Gutmann delivered the keynote (mainly) on how taking a dynamic risk assessment approach based on a number of factors (allowing to rate the overall trustworthiness of a website visited) could heavily contribute to browser security and phishing prevention. While I had the impression there was some room for improvement as for the presentation style, it provided a number of interesting thoughts and on the technical level I really liked it.
[furthermore I learned about the “Crime prevention through environmental design” (CPTED) approach which I wasn’t aware of beforehand].
Next talk I was really looking forward to was Toby Kohlenberg’s “A New Model for Enterprise Defense” piece.
Toby and I had been following each other’s work for some years, so when Intel published this whitepaper he co-authored and he subsequently gave a talk on the stuff at T2 I decided to invite him to speak about the approach at Troopers 2012. Which unfortunately doesn’t work out due to some conflict on his side and he seems at least as unhappy as I am about this
Still ShmooCon provided an opportunity to see his stuff live (btw: at 10:00 AM on Saturday morning which traditionally happens to be one of the least grateful speaking slots at Shmoo ;-)) and discuss it over lunch afterwards.
Dear readers, this is great stuff!
Looking at the current attack and overall security landscape some guys at Intel asked themselves “If we were starting from scratch what would we do differently?” and created a small, focused team that tried to answer that exact question. They came up with an architecture based on four ideas:
- Dynamic Trust Calculation
- Isolated Security Zones
- Aggressively balanced controls
- Additional “perimeters” added (User, Data)
The approach is centered around a step they call “dynamic trust calculation” which in turn can be split up into calculating the trust(worthiness) of first the source of an access request to an information entity, taking into account the user identity (“who are you?”), the device and feature set (“what you have”?) and the physical location (“where are you?”), and second the trust(worthiness) of the destination, based on the application, the data’s classification and the data’s location. The “quality” (trustworthiness) of the actual authentication method used might come into play as well (e.g. OTPs or cert based auth providing better numbers in the overall trust calculation then, say, username/password). Evaluating these factors then determines the type of access granted. So a corporate sales guy using a smartphone from an untrusted location might only read customer information or place orders while being able to modify pricing only when using a system within an organization’s network.
[btw: this is a little bit similar to the table I used in bottom of this post, with the difference that the approach laid out there (in that post) is much less flexible and does not provide the security benefit the Intel approach might offer]
So far they’ve started implementing the architecture with own tools and based on currently existing technologies (he mentioned they heavily use proxies when crossing the boundaries of trust zones), so none of this stuff is “readily available as commercial tools”. Still he mentioned that a number of vendors they discussed this with are working on such approaches as well. Hopefully this does not take the road of NAC (which, from my perspective, is fully dead due to the inherent complexity and operational effort it induced].
In addition to the technical aspects of the talk it was actually fascinating to hear how they build and maintained (over time) that “security innovation” team. I might take some lessons as for the way we do such stuff at ERNW…
I’ll keep you updated once Toby’s slides are publicly available (in the interim see the whitepaper mentioned above) and might even find the time to discuss other interesting talks. For the moment have a great Sunday everybody
We’re quite happy and looking forward to the event
Rodrigo Branco: Into the Darkness – Dissecting Targeted Attacks
The current threat landscape around cyber attacks is complex and hard to understand even for IT pros. The media coverage on recent events increases the challenge by putting fundamentally different attacks into the same category, often labeled as advanced persistent threats (APTs). The resulting mix of attacks includes everything from broadly used, exploit-kit driven campaigns driven by cyber criminals, to targeted attacks that use 0-day vulnerabilities and are hard to fend off – blurring the threat landscape, causing confusion where clarity is most needed.
This presentation analyzes a specific incident, last March’s RSA breach, explaining the techniques used by the attackers and detailing the vulnerability used to gain access to the network. It further explores the possible mitigation techniques available in current software on the OS and application level to prevent such attacks from reoccurring.
Bio: Rodrigo Rubira Branco (BSDaemon) is the Director of Vulnerability & Malware Research at Qualys. In 2011 he was honored as one of the top contributors to Adobe Vulnerabilities in the past 12 months. Previously, as the Chief Security Research at Check Point he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest and biggest security research conference in Latin America.
Carsten Amann: Security can not only Be Managed by Numbers – You Need More
Abstract: From “the management’s perspective” IT security is usually reduced to key performance indicators. Those indicators tend to leave some room for interpretation, especially for top management people. This room for interpretation can lead to decisions which do not only not improve the security level, but might actually decrease it.
The presentation will give an overview how IT security should be “managed by numbers”, to provide transparency and to gain the trust of the top management.
Bio: After his business information systems studies Carsten Amann started his career with a very large consulting company. He was assigned in managerial positions to software implementation projects for different clients. In 2007 he continued his career with a global supplier for technology and services. There he was initially responsible for the global IT security operations (virus protection, encryption, anti-spam etc.). After this assignment he took over the responsibility for the IT-Client topic (operating system, software distribution). Then he took over the responsibility for services within a product area.
Manuel Leithner: Cloud Storage and Its Implications on Security and Privacy
Abstract: With everything moving to the cloud nowadays, security and privacy is often left behind. An ever increasing number of cloud storage operators offer low cost online storage. In this talk we will present our results on the popular service Dropbox, which relied heavily on data deduplication for better user experience. While data deduplication is a straight forward way to decrease costs in terms of bandwidth and storage, it has implications on privacy and security of user data if done wrong – there ain’t no such thing as a free lunch. We will furthermore present methods how data deduplication can work correctly.
Bio: Manuel was introduced to information security while graduating from a technical college and has done research in the areas of mobile security, cloud computing and compile-time obfuscation. He has appeared on national television, podcasts and possibly Chinese security blacklists.
Furthermore, he’s known to use presentations with an average of 0.3 words per slide.
Piotr Cofta: Security professionals – plumbers of trust
Abstract: Trust is a foundation of security, so that it is often overlooked. The presentation analyses trust from the perspective of an information security professional. It discusses what trust is, how it is structured and what can be done about it, beyond the familiarity of trust assessment or trust management. As a result, participants will develop professional insight into trust.
Bio: Dr. Piotr Cofta is managing Security Transformation, having moved from his role as a Chief Researcher, Identity and Trust. Before that, he has been working for many years for Nokia and for Media Lab Europe, concentrating on the relationship between trust, risk, technology and society.
Dr. Cofta is a contributor to several international standards; he publishes and speaks frequently. He is an author of several patents and publications, from areas such as trust management, identity and privacy, digital rights management and electronic commerce. He is a CISSP and a senior member of IEEE. You can contact him at Piotr.Cofta@cofta.net or at http://piotr.cofta.net.
Frank Block & Michael Thumann: Some Notes on Web Application Firewalls or Why You still Get Owned
Abstract: This talk illuminates Web Application Firewalls (WAFs), with particular focus on the negative detection model. It will present methods how they can be fingerprinted and circumvented in order to demonstrate the wrong feeling of security they might create. Furthermore the tool tsakwaf (The Swiss Army Knife for Web Application Firewalls) will be covered, a little script written in perl that includes various code generation functions for circumventing WAFs and a fingerprinting routine to identify supported WAFs.
Of course there will be some nice demos to prove the point and the speakers will also share their experience from daily web application pentest tasks. Finally, as a special gift, an enhanced version of TSAKWAF will be released at Troopers.
Bios: Frank Block is a security consultant working for ERNW GmbH and penetration tester focusing on web application pentests. One of his passions is the analysis of security mechanisms to find ways to circumvent those.
Michael Thumann is the Chief Security Officer and the head of the ERNW’s application security team. He has published security advisories regarding topics like ‘Cracking IKE Preshared Keys’ and buffer overflows in web servers or VPN software. Michael enjoys sharing his self-written security tools (e.g. ‘tomas – a Cisco Password Cracker’, ‘ikeprobe – IKE PSK Vulnerability Scanner’ or ‘dnsdigger – a dns information gathering tool’) and his experience with the community. Besides numerous articles and papers he wrote the first German book on pentesting that has become a recommended reading at German universities.
In addition to his daily pentesting tasks he is a regular conference-speaker (incl. several Black Hat events, HITB and RSA Conference) and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michaels’ main interest is to uncover vulnerabilities and security design flaws from the network to the application level and to reverse almost everything to understand the inner workings.
Johnny Deutsch: The Social Map
Abstract: In our talk we will discuss about the threats that social networks pose on organizations. We will display case studies from our clients that have encountered unwanted exposure on account of their employees or social network applications. The talk addresses issues, such as using the social network as a bed for corporate intelligence gathering, how do users interact with their co-workers and how can we infer from usage trends on the corporate social network policy.
We will demonstrate a variety of issues that corporations must think of when deciding to go on to the social networks. One of the most relevant usages on these networks is to harvest personal data and perform some data visualization tools, such as “Touch Graph”. This application performs this by mapping your friends, dissecting them into groups and creating a map of the employee’s social connections. The map is a good indicator of “closed groups”, a reference that indicated from where these people connect\relate to the employee. A tool that we manufactured for our cyber-services department can achieve a unique feature that enables intelligence gathering on people that user is directly related to or has social ties with. This tool creates a visualization of social circles that are not directly related to your profile, by gathering information that is open for the pubic on Facebook and displays it as a map of connections. In our talk we will display usage cases of the tool and how it relates to our social policy methodology.
Bio: Johnny Deutsch is a manager in the Advisory Services practice of Ernst & Young LLP. Johnny leads the cyber warfare and crime section at Ernst & Young?s Hacktics Advanced Security Center (HASC) based in Tel Aviv, Israel. This cutting-edge security team is dedicated to conducting attack and penetration assessments for EY clients. In this role Johnny is in charge of developing new methodologies and performs cyber vulnerability assessments for HASC clients. Johnny has over 10 years of experience in the field of IT systems and security specializing in large scale VoIP systems and data networking. Prior to Johnny`s employment at HASC, he was a consultant at the Israeli Ministry of Defense and managed large scale projects in the field of IRM (Information Rights Management) and NAC (Network Access Control) systems. Prior to the MoD, Johnny was employed by an American sub contractor for the American Department of Defense and managed projects in the field of cellular communication and its integration of VoIP based PBXs. Prior to the DoD, Johnny served in the Israeli Defense Force and managed integration projects in the field of enterprise storage systems (Netapp) and enterprise WAN communications. Johnny is an active reserve duty officer in the Israeli army at the rank of Lieutenant.
See you @Troopers, take care
Here we go:
Dmitry Sklyarov – “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh Really?
Abstract: The task of providing privacy and data confidentiality with mobile applications becomes more and more important as the adoption of smartphones and tablets grows. As a result, there are a number of vendors and applications providing solutions to address those needs, such as password managers and file encryption utilities for mobile devices.
In this talk we will analyze several password managers and file encryption applications for Apple iOS platform and demonstrate that they often do not provide any reasonable level of security and that syncing data between desktop and mobile versions of the applications increases the risk of compromise. We will also show that the best way to provide privacy and confidentiality on Apple iOS platform is by adhering to Apple Developer Guidelines and not by reinventing the wheel.
Bio: Dmitry is a Security Researcher at Elcomsoft and a lecturer at Moscow State Technical University. He did a research on the security of eBooks and on the authentication of digital photos. Recent research projects involved mobile phone and smartphone forensics. Dmitry is also a co-developer of the Elcomsoft iOS Forensic Toolkit.
Thomas Stocker: Business Application Security in a Global Enterprise
Abstract: In this talk the business application security process at Allianz SE will be laid out. Information security is an integral part of any IT related project from the very beginning and – supported by a well-defined framework of processes and accompanying documents – this is maintained through the whole project lifecycle. I will give a detailed overview of the process, show the relevant steps and documents and discuss common challenges when dealing with the projects, how to tackle those and lessons learned.
Bio: Thomas works as Information Security Officer for the Holding of Allianz SE. He has initially established and continuously improved the business application security process since he took over the job six years ago. Prior to that he worked as an application developer and architect, so he knows his stuff from the ground up.
Meredith Patterson & Sergey Bratus: Theory of Insecurity
Abstract: Why is the overwhelming majority of networked software still not secure, despite all effort to the contrary? Why is it almost certain to get exploited so long as attackers can craft its inputs? Why is it the case that no amount of effort seems enough to fix software that must speak certain protocols?
The answer to these questions is that for many protocols and services currently in use on the Internet, the problem of recognizing and validating their “good”, expected inputs from bad ones is either not well-posed or is undecidable (i.e., no algorithm can exist to solve it in the general case), which means that their implementations cannot even be comprehensively tested, let alone automatically checked for weaknesses or correctness. The designers’ desire for more functionality has made these protocols effectively unsecurable.
In this talk we’ll draw a direct connection between this ubiquitous insecurity and basic computer science concepts of Turing completeness and theory of languages. We will show how well-meant protocol designs are doomed to their implementations becoming clusters of 0day, and will show where to look for these 0day. We will also discuss simple principles of how to avoid designing such protocols.
Bios: Meredith L. Patterson is a software engineer at Red Lambda. She developed the first language-theoretic defense against SQL injection in 2005 as a PhD student at the University of Iowa, and has continued expanding the technique ever since. She lives in Brussels, Belgium.
Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discipline that, although not yet recognized as such, harbors deep insights into the nature of computing. He has a Ph.D. in Mathematics from Northeastern University and worked at BBN Technologies on natural language processing research before coming to Dartmouth.
Mariano Nunez Di Croce: SAP (In)security: Latest Attacks and Defenses
Abstract: This presentation details some of the latest attack vectors against SAP systems, explaining some of the techniques malicious parties may use to compromise the systems remotely and then escalate privileges to access sensitive business information.
Join us to see live demonstrations of these attacks, learn about the statistics of dozens of real-world SAP Penetration Tests and identify which are the latest advances in preventing your SAP systems from falling in the wrong hands.
Bio: Mariano Nunez Di Croce is the CEO at Onapsis. Mariano is a renowned researcher in the ERP & SAP Security field, being the first to present on real-world security attacks to SAP platforms. Since then, he has been invited to lecture in some of the most important security conferences in the world, such as BlackHat DC/USA/EU, RSA, SAP, HITB Dubai/EU, Troopers, Ekoparty, HackerHalted, DeepSec, Sec-T, Hack.lu and Seacure.it, as well as in Fortune-100 companies and military organizations.
Mariano has discovered 50+ vulnerabilities in SAP, Microsoft, Oracle and IBM applications. He leads the strategic development of Onapsis X1, has been the developer of the first open-source SAP & ERP Penetration Testing Frameworks and leads the “SAP Security In-Depth” publication. Mariano is also a founding member of BIZEC.org, the Business Security Community. Because of his research work, he has been interviewed and featured in mainstream media such as CNN, Reuters, IDG, New York Times, eWeek, PCWorld, Darkreading and others.
Mario Heiderich: Got your Nose! How to steal your precious data without using scripts
Nikhil Mittal: More fun using Kautilya or Is it a thumb drive? Is it a toy? no it’s a keyboard
Abstract: How many non-traditional methods you use to get into systems? How about having some more fun while getting into the systems and also making profit out of it? Let us increase the awesomeness of our Penetration tests and start using Human Interface Devices such as Teensy in the pwnage trade.
The tool for the trade for this talk will be Kautilya. Kautilya is a toolkit which can be used to perform various pre-exploitation and post-exploitation activities. Kautilya aims on easing the use of attack vectors which traditionally require human intervention but can be automated using Teensy. Kautilya contains some nice customizable payloads which may be used for enumeration, info gathering, disabling countermeasures, keylogging and using Operating System against itself for much more. The talk will be full of live demonstrations.
An updated version of Kautilya will be released at Troopers that includes a number of previously unseen Linux payloads.
Bio: Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defense strategies and post exploitation research. He has over 3 years experience in Penetration Testing of many Government Organizations of India and other global corporate giants at his current job position.
He specializes in assessing security risks at secure environments which require novel attack vectors and “out of the box” approach. . He is creator of Kautilya, a toolkit to utilize teensy in penetration tests. In his free time, Nikhil likes to scan full IP ranges of countries for specific vulnerabilities, writes some silly Metasploit scripts and does some vulnerability research. He has spoken at Clubhack’10, Hackfest’11, Clubhack’11 and Black Hat Abu Dhabi’11.
More talks to follow next week, so stay tuned
See you @Troopers, take care
During a recent penetration test, we evaluated the security of a typical corporate employee notebook. It was to be assessed whether employees with a default corporate user account would be able to gain administrative access and subsequently abuse the system for attacks against a certain high value database system. When evaluating this problem set, the first step is to find ways to bring tools and exploit code on the system. Usually this task requires the bypassing of the malware protection agent of the system. At some point, we thought we figured a way to encode exploits and payloads in a way that would not be detected by the malware protection solution.
But as we soon realized, it wasn’t the encoding which made the malware protection fail but another issue. The installed solution was TrendMicro OfficeScan, a comprehensive endpoint suite for all kinds of endpoint protection mechanisms such as malware protection, hard drive encryption, or DLP integration. The malware protection module was also announced as a “Cloud AntiVirus Solution”. In the concrete case, this means that the analysis of files is not performed on the endpoint itself but on a centralized server (which, from our point of view, would qualify as centralized or server-based AntiVirus but not Cloud AntiVirus… but this discussion is out of scope of this blogpost ).
Coming back to the initial scenario, the encoding of the exploit code did actually help to bypass the AV, but not in the way we initially thought. The local AV client knows malicious files it has detected before based on their hash values. Files with an unknown hash value are transferred to the centralized analysis server. Referring to the OfficeScan Smart Protection Server Getting Started Guide:
“File reputation technology from Trend Micro checks the reputation of each file against an extensive in-the-cloud database. Since the malware information is stored in the cloud, it is available instantly to all users.”
Obviously different encodings change the hash value of the exploit code, and the AV client does not recognize the file as malicious anymore. Thus it must send the file to the analysis server. We became aware of this fact since we pulled the network cable of the endpoint at some point in time: From then on, no malicious code (that has not been detected before) was detected any more. Hence we were able to execute arbitrary code on the system – just like any malware could do.
To summarize this in one sentence: If someone pulls the network cable of the system, there is no more malware protection in place. Not by running black magic exploit code or abusing extensive user rights… just by pulling the network cable.
Since we were not to perform an extensive malware protection product evaluation, we stopped our research at some point, so at this point we can not yet make any further conclusions. Yet, and even this should be obvious, one of our basic security principles is important again: Carefully select and evaluate the security technology you bring to your environment! The OfficeScan suite is promoted for virtualized client environments, yet not restricted to them. In a virtualized environment, the described malware protection approach might be valid, since the system cannot be accessed without connectivity, and therefore it does not matter if this disables AV protection. But for a typical “local” endpoint system, this approach does not necessarily provide appropriate AV protection. Even though we do not say that it is not possible to design a secure system without AV, in most environments this might lead to severe business risks. Therefore, if you are looking for a suggestion for a new year’s resolution, here we go: “We will not integrate more security technologies without careful evaluation and risk assessment any more”
Have a great weekend,