Following David’s presentation “Breaking Bad – Season Two” at ScotSoft 2017, this post contains the remediation advice and further reading notes on the matters presented.
7 Elements are pleased to convey our experiences of the Securi-Tay fourth annual security conference at Abertay University. With a graduate and senior tester attending, we split up to combine our efforts to hear as many talks as possible. We have written an overview of a subset of the great talks we heard, in no particular order.
Gavin Millard, Tenable Network Security: The Five Stages of Security Grief
The first talk was by Gavin Millard, EMEA Technical Director of Tenable Network Security. Gavin spoke about the five stages of security grief and the process of aiding in the establishment of what stage different people are in their process of identifying information security issues and deciding how the problems identified are dealt with. Gavin drew upon the parallels to the Kübler-Ross model of grief (Elisabeth Kübler-Ross, 1969). Gavin discussed how this grief model had parallel applications relating to the grief and anxiety of not being able to understand what actions to take to protect an organisation from pernicious threat actors. The talk focused on elements of the human condition and the coping mechanisms often employed before an organisation moves through the five stages of security grief. The talk progressed to outline how security consultants can assist organisations in progressing though to the final acceptance stage.
Dr Greg Fragkos, Virtual terminals and POS security; How I had a chance to become a billionare.
In this talk Dr Fragkos highlighted the inherent security flaws of Point-of-sale (POS) devices and Virtual Terminals in spite of their processing of transactions by using strong encryption and secure communication channels to connect to remote authorisation servers. The talk focused on the ease of committing fraud by either using a card to purchase items seemingly legitimately without the transaction ever leaving the local payment device.
Dr Fragkos provided some helpful advice for consumers. If you have any item containing RFID technology it should be kept in an RFID blocking container.
Read more about measures against RFID skimming: http://en.wikipedia.org/wiki/RFID_skimming
Freaky Clown, Portcullis Computer Security: Robbing Banks and other fun tales
This talk highlighted the deficit of a culture of challenge within the office workplace of organisations. The talk discussed many techniques about how a social engineer prepares for a test using publicly available resources such as “Google Maps” for investigating and pinpointing the implications of flawed security implementations or a lack of physical security meant to secure digital and physical access in restricted areas within a business. This involved presenting images of incorrectly installed magnetic locks on doors, spoofing heat based movement detecting sensors and detailing methodology for bypassing measures meant to enforce controlled access at receptions.
7 Elements have also witnessed a lack of challenge culture and flawed implementation of corporate access control mechanisms. Often the security deficit stems from problems with the technology being used and instead of fixing problems related to the automated access control mechanism, the technology is sometimes simply deactivated or only partially implemented to ensure the goals related to business efficiency are being met first.
Graham Sunderland, Portcullis Computer Security: We don’t take kindly to your types around here!
This talk discussed and demonstrated relatively unknown pitfalls that may inadvertently be introduced in code. The problem stems from the lack of focus on security considerations when coding with Object Oriented Programming languages such as C++ and PHP. The focus of this talk was in the serialisation and deserialisation of objects, several common development pattern vulnerabilities were demonstrated.
Lewis Arden, Leeds Beckett University: Creating vulnerable systems containing dynamically allocated vulnerabilities
Drawing upon the needs of students studying the “Computer Forensics and Security” undergraduate course, the possibility to create systems containing dynamically allocated vulnerabilities was identified as popular vulnerable systems such as Metasploitable2, OWASP, BWA and others. These popular vulnerable systems have many walkthroughs on how to exploit different vulnerabilities online. Whilst walkthroughs facilitate creating a methodology for exploitation, the vulnerabilities that are exploited on static systems cannot serve to evaluate student learning. The dynamic allocation of vulnerabilities allows each assigned box to have their own specific set of vulnerabilities. This approach should stop students from sharing solutions, instead encouraging the sharing of methodologies, thereby establishing a cooperative learning environment. This tool is to be launched soon at http://z.cliffe.schreuders.org/index.htm.
Barry Myles, SDR for security testers
Barry Myles’ presentation was severely hit by the live-demo gods wrath. During his presentation, Barry showed how he replaced the remote control of an array of radio controlled power plugs. Unfortunately, some of the demos he had planned were not shown and others did not work was planned. However, the presentation was perfect as an introduction to Software Defined Radio and has been responsible for the acquiring of additional research hardware (aka Toys for InfoSec boys!). I believe here is a lot of security research to be made on these types of devices as they are usually built and developed without security concerns in mind.
Kevin Sheldrake and Steve Wilson, Embedded Tool Kit
This presentation was divided in two and felt like it went by really fast! Steve Wilson talked first and focused on the hardware side of security testing embedded devices, brushing slightly on required hardware and showing the process of testing a TP-Link Wireless Extender (TP-WA850). Kevin Sheldrake spoke about some tools he has been developing in assisting debugging the software running on these embedded devices. With this purpose, Kevin has developed bps (a non-interactive debugger), cliapi (a command-line utility that allows running functions in executables and libraries) and jackal (a SSL certificate cloning utility for MitM attacks).
Their tools can be found at http://rtfc.org.uk.
Steve Lord, Anonaflops: It’s part in my downfall
Steve Lord is able to keep up engaged through what is a quite technical presentation through the use of down to earth examples and essentially being able to deliver real world examples without it being overly complicated as it usually the case in the InfoSec world. He knows what he talks about and was able to simplify the usual misconceptions on anonimity, privacy and free access to information. During his talk he debunked the Anonabox project and reviewed a much better concept called Cloak.
Javvad Malik, How to hack you career path and stand out
Javvad’s presentations are always fun to watch. He is a gifted speaker and focuses in the personal growth side of being a InfoSec professional. This presentation was no different and he introduced what he called the Personal OSI Model, a collection of items someone should take into account in order to improve their professional career. I found his “Skills VS Reputation” discussion with Steve Lord when considering a prospective employer to be most thought provocative.
Rory McCune, Secure and “Modern” Software Deployment
Modern software is complex and has a lot of dependencies. Nowadays, dependencies are usually installed automatically from repositories and are almost always implicitly trusted by default.
Rory McCune’s presentation described a couple of scenarios in which he shows different ways the deployment process can be abused by attackers to gain access to unsuspecting users’ machines. The attackers and scenarios he described ranged between high-end nation-state sponsored attackers to modest ones with limited resources.
Dr Jessica Barker, Social Security
Independent Information Security expert Dr. Jessica Barker tackled the usual InfoSec adage “It’s the user’s fault!”. She challenged this view by using Rosenthal’s Pygmalion effect. The usual victim blaming approach was also illustrated by the Golem Effect. Using these explanations, she hopes it could help us as InfoSec professionals to improve the way we handle the ever important education of users in fixing InfoSec’s biggest problem: education.
Stephen Tomkinson, Abusing Blu-ray Players
Stephen Tomkinson’s presentation on abusing blu-ray players was a very nice example of good and relevant research sponsored by an employer. He showed different types of attacks on blu-ray players ranging from network attacks to physical disc attacks which would allow an attacker to get a strong foot-hold in gaining access to your local network.
The research included the development of a new tool that will surely lead other researchers to finding other vulnerabilities in this ever growing connected world.
So where are we this year? We are not even 10% into the new year and already contenders are popping up trying to make their name. The newest vulnerability to get the brand treatment is GHOST.
GHOST is a buffer overflow that affects the GNU C Library (otherwise known as glibc), specifically the __nss_hostname_digits_dots() function of glibc.
Because this function is available both remotely and locally (as gethostbyname functions generally are), it is exploitable both locally and remotely. Successful exploitation of this vulnerability allows for arbitrary code execution, resulting in unauthorised access. The full advisory can be read here and has been tagged with the corresponding CVE-2015-0235.
No working exploit has yet been disclosed. However, the technical explanation in the advisory could be sufficient to shed light on the matter and allow for a working version of the exploit to be developed.
GHOST’s impact should therefore be considered as critical and warrant early remediation.
As per the advisory, the disclosure of this vulnerability has been coordinated with several vendors in order to allow time to issue security related patches.
Vulnerable versions of glibc range between glibc-2.2 and glibc-2.17~glibc-2.18. However, many long term support and server grade distributions remain vulnerable. For example:
Debian 7 (wheezy)
Red Hat Enterprise Linux 6 & 7
CentOS 6 & 7
Ubuntu 12.04 LTS
I’ve been noticing a trend from security vendors who promise security-in-a-box solutions and Web Application Firewalls (WAFs) are being promoted as one such solution. Unfortunately, organisations are aligning to this suggestive, albeit dangerous tune.
As a result, organisations choose to filter out traffic that would exploit their known vulnerabilities on their WAFs instead of applying vendor approved updates and fixes, refactoring or rewriting vulnerable code.
Don’t give your WAF the whole responsibility!
A WAF is a piece of software capable of applying a set of rules to an HTTP conversation. These rules will then allow the organisation to make control-flow decisions on the HTTP interaction and therefore help mitigate and protect against certain common attacks on the Web (XSS, SQLi, etc).
In short, it adds an additional layer of security to a web application, which is a good thing. This is done by keeping a separate rule-set for the detection and prevention of attacks, keeping the actual application oblivious to such attempts.
“Just because you feel safe, doesn’t mean that you’re secure”
WAFs exist in many different guises, as network appliances, full-blown applications or even modules running inside of web servers. When correctly deployed, WAFs are a huge help in preventing some common attacks on organisations’ applications. Cross-site scripting, SQL-injection, brute-force attacks are on the top of the list of attacks that you would be able to prevent with the help of a correctly configured WAF.
Of course this doesn’t mean that by having a WAF you don’t have to include security-aware developers and secure coding practices, or stop applying security updates, just because you are “protected” against some of these threats. Security controls should be placed as near as possible to the asset you are trying to protect and a defence-in-depth approach is required. A WAF should therefore be one of many security measures deployed, not relied on in isolation.
“In the absence of other factors, always use the most secure options available.” – Dr. Joel Snyder
Whilst filtering against the input and output of your application might protect you against some of the OWASP-top-ten attacks, WAFs are only able to protect against a few specific and well-known attacks.
Keeping in tune with the “locking doors behind locked doors” mantra that guides the defense-in-depth approach, you should always keep increasing the overall security of your environment to maintain currency with the current threats out there. This should be done by applying security patches, fixing security bugs on software, hardening configurations and establishing and maintaining security baselines.
Security is not a recipe. Security is an on-going process and evolves over time. This process includes installing updates regardless of whether on devices (security patches), people (raising security-awareness) or processes (security reviews).
By relying on a WAF to protect you from a current known weakness and enabling you to avoid the issue of patching, will only lead to more headaches further down the line.
This subject is something that we will explore further in later posts.
It was the first meeting of this kind in Portugal (for infosec people by infosec people, open to the general public, free admission, international speakers and attendees). There were about 180 people there in both rooms.
Other than my talk, here’s a rundown of what I saw.
Convincing your friend that a Website sucks by Colin McLean
Colin tried to prove to his friend Mark a website he used wasn’t that safe… and failed. The end result – and a big win – is this talk. We should realise that after all this time, since the beginning of the World Wide Web, we still haven’t been able to prove automatically and successfully if a site is doing something malicious. Colin’s initial solution is a smart mix of proxying, analysis and IDS techniques. It looks very promising. I just hope Colin is able to find a grad student that tackles this issue and fixes it for us!
Security (A)SAP by Bruno Morisson
This talk is about the hugely complex and prevalent CRM system in most large companies in the world and the challenges in keeping these kind of critical systems secure and healthy. Some of the work presented resulted in a Metasploit module for SAP pen-testing. A typical talk at these gatherings.
Digital Forensics on todays’ digital world by David Marques
In this talk, David gave us a general and introductory overview of Digital Forensics. Starting with digital forensic’s history, describing different mindsets between the technical forensicators and legal crowd (judges and lawyers), existing software and usage, explaining current (and future challenges) as a forensics company. Unfortunately, in the end, Q&A fell back to the oldest discussion in the books: “Open-Source” vs “Proprietary” Software. A very good intro to the Digital Forensics’ world, nonetheless.
All your sites are belong to Burp by Tiago Mendo
A plain talk that had a bit for everyone, an introduction to Burp for the newbies and developers and tips that experienced users always enjoy (Macros and Extensions). I also learned about using both Intruder and the Scanner to optimize testing. I actually overheard someone in the room say “where do I sign to get this fantastic piece of software?”. Oh, and I do believe Dafydd Stuttard deserves every penny he is paid for Burp!
“there is no spoon” – The art of “bending” a vulnerability with the power of mind by Pedro Cabrita
Revisiting the idea that automated vulnerability scanning is worth what it is worth, Pedro described several vulnerabilities on a custom tailored app that some of the automated vulnerability scanners couldn’t find. Some of these vulnerabilities were quite basic and immediate that even a more unexperienced tester would find them. While the topic isn’t new, it made a good point since it explains the skewed reality perception organisations have after being submitted to testing. Testing for security isn’t a case of point & shoot or point & click in our case. Just as attackers are somewhat artistic in their trade, so too should testers be. Automated testing tools are just that, tools. Give a skilled tester some good tools and he will deliver.
Revisiting Mac OS X Rootkits by Pedro Vilaça
Unfortunately, I only saw the end of this talk since I was at Pedro Cabrita’s talk but from what I gathered, Pedro is one of the world’s authority on OSX Rootkits and his work is interestingly mindblowing and an eye-opener regarding OSX’s security. One of my favorite talks.
Securing Password Storage – Increasing Resistance to Brute Force Attacks by Tiago Teles
As recent years have shown, storing passwords securely has been proven quite dificult judging by all the password leaks and disclosures even for big players like Yahoo!, Twitter and LinkedIn. After an introduction, design decisions and evolution of hashing functions for password storage, Tiago from Cigital proposed an HMAC based solution to storing user passwords. It was quite an interesting and technical talk with some food for thought on the future of secure password storage and management for organisations.
Man vs Internet or The future of Authentication by Luís Grangeia
Why is it so hard for people (even us, infosec professionals) to properly and securely manage our digital online selves? In his talk, Luis talked about the Mat Honen digital life theft case, authentication and the management of digital identities. It was a basic subject but still something we haven’t completely figured out and often leave to superficial thinking and management without realising we are putting ourselves at unecessary risk with high likelihood of exploitation. Luis finished the talk with some ideas on how to increase our security and raised awareness of these topics. A very interesting talk with a lot of food for thought.
I’m the guy your CSO is STILL warning you about by Gavin Ewan
Gavin is a funny and gifted speaker. He has the heart of a Social Engineer, he lures you in and you’re hopelessly captivated. His words debunk common Social Engineering misconceptions, juicy targets and successful results. It’s funny as legal compliance information disclosure and leaking results so often help out the attacker, especially because they usually end up not being uber-nerdy-obssessive-technical-proficient attackers…. just really motivated beings. Information acquisition is, more often than not, one Google search away! You just need to be smart in how to use it.
Other that the talks, there was a crypto-challenge – decrypting a file containing an encrypted version of the SGFja2VyJ3MgTWFuaWZlc3Rv (spoiler avoided by b64-encoding) – and two attendees signed up for lightning talks. For this, the participants won the possibility of having dinner with the speakers.
Dinner ensued at a brazilian meat restaurant “Orizon” where almost all speakers met (I missed all the other Scots who traveled to Portugal for the event!) followed by drinks at Expo’s Peter’s for wrapping up.
All in all, a good InfoSec informal meeting. I was pleased to see that some of the talks developed on ideas from previous shorter talks from “Confraria da Segurança Informática”, a monthly InfoSec meeting very much in the spirit of BSides only smaller. They have an active community there.
While testing a new service called HoneyDocs, a service that allows the creation of documents that send a call back with a unique tracking code notifying you that the document was viewed/opened, Daniel McCauley discovered his documents were being opened by Dropbox-owned Amazon EC-2 instances.
(Yes, HoneyDocs will also know when someone is accessing your documents as well 🙂 )
The issue was addressed by Andrew Bortz (Security Expert at Dropbox) on HackersNews who explained that the Dropbox team disabled the loading of external resources. This renders the method of discovering whether Dropbox is opening your files utterly useless but doesn’t prevent them (or any other third-party) from reading them.
The Dropbox team has dismissed the importance of the issue reasoning there would be a requirement to generate thumbnails of the files for user browsing. The fact is nothing keeps the cloud-based provider from accessing the stored resources.
Although not a novelty item, I feel this news hasn’t been given proper media attention or online discussion as it affects a large number of internet users. Dropbox is one of, if not, the most popular cloud-based file storage service. These users might not even fully understand the extent of the privacy and security issues.
Here at 7 Elements we have discussed the cloud-based security issue before but still feel important to keep users informed about being and staying safe online.
What can I do to protect my files?
Using verified software that encrypts your files is the only sure way of ensuring no one else has access to them in this cloud-focused world. If you want an extra layer of security, be sure to encrypt the file’s names as well and not just their contents.